Configuring Spinnaker Authentication with Azure Active Directory

Purpose

The purpose of the document is to guide one to setup Spinnaker app to authenticate against Azure Active Directory (AAD).

Scope

The procedure here is tested on Spinnaker 1.16.2 (distributed installation) in Dev environment, and was also validated in Spinnaker 1.16.0 and 1.16.2 versions. We expect same procedure could work on other versions of Spinnaker as well, but there may be slight deviations.

Note that the Azure AD configuration steps in spinnaker.io have differences (Fields & locations) due to the upgraded version of Azure AD. This procedure is tested with the new AAD (as on Oct 2019).

Assumptions

  • You have a Azure AD configured with users and groups. (Note, one of my account is spin-admin@saga.onmicrosoft.com. Replace it with your account as needed where-ever referenced)
  • Spinnaker 1.16.2 installed on Kubernetes 1.14.0 (My spinnaker url is https enabled. Follow the guide here to setup https)

Procedure to enable Azure AD authentication on Spinnaker

We need to register and configure an Application (client) in Azure AD. Then use some of the information from the registered app in Spinnaker halyard configuration to enable Azure AD authentication in Spinnaker.

Procedure in Azure AD

  1. Navigate to https://portal.azure.com and log in with your Azure credentials.
  2. On the left navigation pane, click “Azure Active Directory” –> “App registrations”.
  3. Click “New registration”, and fill in the details:
    1. Name : (e.g. SagSpinnaker).
    2. Supported account type: ‘Accounts in this organizational directory only (Default Directory only – Single tenant)’
    3. Redirect URI (optional): Select ‘Web’ from the drop-down list. The text field value is https://xx.xx.xx.xx:30084/login (replace it with your Gate address if known. Note: AAD don’t accept http url except for localhost, so go for https. Remember to suffix the url with ‘/login’ text)
    4. Click “Register”.
    5. After the above step, you will be taken to your new App overview page automatically. (You can skip next step)
  4. App registrations -> SagaSpinnaker (You can replace SagaSpinnaker with your appname where-ever you find it). You will be in Overview page of your App now.
    1. Make a note of ‘Application (client) ID’. This is the client-id you will need to pass to halyard.
    2. Make a note of ‘Directory (tenant) ID’. This is the tenant-id you will need to pass to halyard.
  5. On the left-panel, click “Certificates & secrets”.
    1. Under ‘Client Secrets’ -> “New client secret”. In ‘Description’ field type a text to reference easily (e.g. SagaSpinnaker password) and set the expiry to 1 year and click “Add”.
    2. Make sure to copy the password ‘Value’ to safe place. Note, you won’t get a way to view the password once you navigate away. This is the client-secret you will need to pass to halyard.
  6. On the left-panel, click “API permissions
    1. Add the following permissions from: Microsoft Graph -> Application permissions
      1. Directory.Read.All
      2. Group.Read.All
      3. User.Read
      4. User.Read.All
      5. User.ReadBasic.All
    2. Under ‘Grant consent’, click ‘Grant admin consent for Default Directory’ and confirm the prompt to grant admin consent. Admin user should grant the consent if you don’t have privilege to do so.

Procedure in Spinnaker

Note: The below procedure should be done on the machine (VM/halyard-pod/halyard-docker) where halyard is running.

  1. Create the file ~/.hal/default/service-settings/gate.yml with the following content. Change the tenant-id value as per your AAD configuration.
    env:
      azureTenantId: <tenant-id>
  2. Create the file ~/.hal/default/profiles/gate-local.ym
    security:
     oauth2:
       userInfoMapping:
          username: userPrincipalName
  3. Run the following command. Change the client-id and client-secret values as per your AAD configuration.
    hal config security authn oauth2 edit --provider azure --client-id <client-id> --client-secret <client-secret>
  4. Enable oauth2 authentication with the following command
    hal config security authn oauth2 enable
  5. Ensure that the deck and gate redirect urls are set correctly. If they are not set, run the below command
    hal config security ui edit --override-base-url https://xx.xx.xx.xx:30900
    hal config security api edit --override-base-url https://xx.xx.xx.xx:30084
  6. Finally apply the hal changes to take effect
    hal deploy apply
  7. Wait for the gate service to refresh its service and then try Spinnaker (deck) url in Web-browser:  https://xx.xx.xx.xx:30900.You will be taken to microsoft login page; once you provide your AAD credential you should be logged into Spinnaker successfully.

Problems and Solutions

Solution: Azure AD accepts only https url, so setup SSL url for your spinnaker deck and gate services and use the https url to do the app registration.

  • Problem: Upon opening spinnaker url, it is redirecting to microsoft login page, wherein I get a message “Sorry, but we’re having trouble with signing you in. AADSTS900023: Specified tenant identifier ‘${azuretenantid}’ is neither a valid DNS name, nor a valid external domain.”.

Solution: Either the file ~/.hal/default/service-settings/gate.yml is not available or the tenant-id is incorrectly configured. Update the file with correct tenant-id and redeploy hal.

env:
azureTenantId: <tenant-id>

Even after applying the above change, still getting the same error? In this scenario, it is likely that Spinnaker is not populating the environment variable defined in the service-settings/gate.yml file. You can make a workaround fix by adding the below text to your profiles/gate-local.yml file. Remember to replace the tenant-id value per Azure AD configuration.

security:
 oauth2:
   client:
     accessTokenUri: https://login.microsoftonline.com/<tenant-id>/oauth2/token
      userAuthorizationUri: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?resource=https://graph.windows.net
  • Problem: After giving my microsoft login, the login process keeps looping in the Spinnaker url and after few minutes it times-out. 

Solution: Azure AD’s userPrincipalName is not properly mapped to userName of Spinnaker, so spinnaker thinks login was not successful even though Microsoft returns the user information. Although PR https://github.com/spinnaker/gate/pull/676 claims that the userName mapping was fixed in Dec 2018, we still had to apply the recommended fix. The fix is to update the spinnaker file ~/.hal/default/profiles/gate-local.yml as below,

security:
oauth2:
  userInfoMapping:
      username: userPrincipalName

Then, redeploy hal and you should be able to successfully login once gate changes are effected.

Summary

The Spinnaker authentication setup with Azure AD was a challenge as some of the steps in the official guide with respect to Azure end configuration have become either invalid or changed. In this article, we explained you the steps to configure Spinnaker authentication against Azure Active Directory.

Tagged

Leave a Reply

Your email address will not be published. Required fields are marked *