Configuring Spinnaker Authentication with Azure Active Directory
Here in this blog, we will guide you on how to configure Spinnaker for authentication using Azure Active Directory (AAD).
Scope
The procedure here is tested on Spinnaker 1.16.2 (distributed installation) in the Dev environment and was also validated in Spinnaker 1.16.0 and 1.16.2 versions. We expect the same procedure could work on other versions of Spinnaker as well, but there may be slight deviations.
Note: The Azure AD configuration steps in spinnaker.io have differences (Fields & locations) due to the upgraded version of Azure AD. This procedure is tested with the new AAD (as of Oct 2019).
Assumptions
- You have an Azure AD configured with users and groups.
Note: One of my accounts is spin-admin@saga.onmicrosoft.com. Replace it with your account as needed wherever referenced. - Spinnaker 1.16.2 installed on Kubernetes 1.14.0 (My spinnaker URL is HTTPS enabled. Follow the guide here to setup HTTPS)
Procedure to enable Azure AD authentication on Spinnaker
We need to register and configure an Application (client) in Azure AD. Then use some of the information from the registered app in Spinnaker halyard configuration to enable Azure AD authentication in Spinnaker.
Configuration procedure in Azure AD for Spinnaker authentication
- Navigate to https://portal.azure.com and log in with your Azure credentials.
- On the left navigation pane, click “Azure Active Directory” –> “App registrations”.
- Click “New registration”, and fill in the details:
- Name : (e.g. SagSpinnaker).
- Supported account type: ‘Accounts in this organizational directory only (Default Directory only – Single-tenant)’
- Redirect URI (optional): Select ‘Web’ from the drop-down list. The text field value is https://xx.xx.xx.xx:30084/login (replace it with your Gate address if known. Note: AAD don’t accept HTTP URL except for localhost, so go for HTTPS. Remember to suffix the URL with ‘/login’ text)
- Click “Register”.
- After the above step, you will be taken to your new App overview page automatically. (You can skip the next step)
- App registrations -> SagaSpinnaker (You can replace SagaSpinnaker with your app name wherever you find it). You will be on the Overview page of your App now.
- Make a note of ‘Application (client) ID’. This is the client-id you will need to pass to the halyard.
- Make a note of ‘Directory (tenant) ID’. This is the tenant-id you will need to pass to the halyard.
- On the left-panel, click “Certificates & secrets”.
- Under ‘Client Secrets’ -> “New client secret”. In the ‘Description’ field type a text to reference easily (e.g. SagaSpinnaker password) and set the expiry to 1 year and click “Add”.
- Make sure to copy the password ‘Value’ to a safe place.
Note: You won’t able to view the password once you navigate away. This is the client-secret you will need to pass to the halyard.
- On the left-panel, click “API permissions”
- Add the following permissions from Microsoft Graph -> Application permissions
- Directory.Read.All
- Group.Read.All
- User. Read
- User.Read.All
- User.ReadBasic.All
- Under ‘Grant consent’, click ‘Grant admin consent for Default Directory’ and confirm the prompt to grant admin consent. Admin user should grant consent if you don’t have the privilege to do so.
- Add the following permissions from Microsoft Graph -> Application permissions
Configuration procedure in Spinnaker for using Azure AD for authentication
Note: The below procedure should be done on the machine (VM/halyard-pod/halyard-docker) where the halyard is running.
- Create the file ~/.hal/default/service-settings/gate.yml with the following content. Change the tenant-id value as per your AAD configuration.
env:
azureTenantId: <tenant-id>
- Create the file ~/.hal/default/profiles/gate-local.ym
security:
oauth2:
userInfoMapping:
username: userPrincipalName
- Run the following command. Change the client-id and client-secret values as per your AAD configuration.
hal config security authn oauth2 edit --provider azure --client-id <client-id> --client-secret <client-secret>
- Enable oauth2 authentication with the following command
hal config security authn oauth2 enable
- Ensure that the deck and gate redirect URLs are set correctly. If they are not set, run the below command
hal config security ui edit --override-base-url https://xx.xx.xx.xx:30900
hal config security api edit --override-base-url https://xx.xx.xx.xx:30084
- Finally, apply the hal changes to take effect
hal deploy apply
- Wait for the gate service to refresh its service and then try Spinnaker (deck) URL in Web-browser: https://xx.xx.xx.xx:30900.You will be taken to Microsoft login page; once you provide your AAD credential you should be logged in to Spinnaker successfully.
Common Problems and Solutions with Spinnaker authentication using Azure Active Directory
- Problem: Unable to add my http://xx.xx.xx.xx:30084/login URL as Redirect URL in Azure Active Directory -> Application registration.
Solution: Azure AD accepts only HTTPS URLs, so set up an SSL URL for your spinnaker deck and gate services and use the HTTPS URL to do the app registration.
- Problem: Upon opening the Spinnaker URL, it is redirecting to the Microsoft login page, wherein I get a message “Sorry, but we’re having trouble with signing you in. AADSTS900023: Specified tenant identifier ‘${azuretenantid}’ is neither a valid DNS name nor a valid external domain.”.
Solution: Either the file ~/.hal/default/service-settings/gate.yml is not available or the tenant-id is incorrectly configured. Update the file with correct tenant-id and redeploy hal.
env:
azureTenantId: <tenant-id>
Even after applying the above change still, getting the same error? In this scenario, it is likely that Spinnaker is not populating the environment variable defined in the service-settings/gate.yml file. You can make a workaround fix by adding the below text to your profiles/gate-local.yml file. Remember to replace the tenant-id value per Azure AD configuration.
security:
oauth2:
client:
accessTokenUri: https://login.microsoftonline.com/<tenant-id>/oauth2/token
userAuthorizationUri: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?resource=https://graph.windows.net
- Problem: After giving my Microsoft login, the login process keeps looping in the Spinnaker URL, and after few minutes it times-out.
Solution: Azure AD’s userPrincipalName is not properly mapped to the userName of Spinnaker, so spinnaker thinks login was not successful even though Microsoft returns the user information. Although PR https://github.com/spinnaker/gate/pull/676 claims that the userName mapping was fixed in Dec 2018, we still had to apply the recommended fix. The fix is to update the spinnaker file ~/.hal/default/profiles/gate-local.yml as below,
security:
oauth2:
userInfoMapping:
username: userPrincipalName
Then, redeploy hal and you should be able to successfully login once gate changes are effected.
Summary
The Spinnaker authentication setup with Azure AD was a challenge as some of the steps in the official guide with respect to Azure end configuration have become either invalid or changed. In this article, we explained to you the steps to configure Spinnaker authentication against Azure Active Directory.
If you want to know more about Spinnaker or request a demonstration, please book a meeting with us.
OpsMx is a leading provider of Continuous Delivery solutions that help enterprises safely deliver software at scale and without any human intervention. We help engineering teams take the risk and manual effort out of releasing innovations at the speed of modern business. For additional information, contact us
Thanks for this! Got me up and running.
Couple of things.
~/.hal/default/profiles/gate-local.ym is missing an “L” at the end
While configuring Azure AD, I didn’t see any option regarding “User.ReadBasic.All”, and ignored it.
Thanks for this! Got me up and running.
Couple of things.
~/.hal/default/profiles/gate-local.ym is missing an “L” at the end
While configuring Azure AD, I didn’t see any option regarding “User.ReadBasic.All”, and ignored it.
Thanks for this! Got me up and running.
Couple of things.
~/.hal/default/profiles/gate-local.ym is missing an “L” at the end
While configuring Azure AD, I didn’t see any option regarding “User.ReadBasic.All”, and ignored it.