Spinnaker的认证

spinnaker 中提供了认证 ( Authentication) 的机制流为 Deck <=> Gate <=> Identity Provider

  • Deck 是 spinnaker 的 WEB UI (由 apache server服务的一组静态文件)
  • Gate 是 API Gateway,所有的进入 Spinnaker 的流量都会通过 Gate 处理,这里完成 authenticationauthorization
  • Identity Provider:用于用户身份认证的外部服务或系统,例如 LDAP, OAuth 2.0(行业标准鉴权协议), SAML, X.509 等。

更多 spinnaker Authentication 工作流可以参考

Spinnaker 认证配置

启动配置

bash
1

hal config security authn oauth2 enable --no-validate

使用 hal 命令配置 redirect URI

bash
1

hal config security authn oauth2 edit --pre-established-redirect-uri https://my-real-gate-address.com:8084/login

或者手动修改配置配置文件

yaml
1
2
3
4
5

security:
  authn:
    oauth2:
      client:
        preEstablishedRedirectUri: https://my-real-gate-address.com:8084/login

这里 /login 后缀是 spinnaker 强制要求的

Be sure to include the /login suffix at the end of the of your preEstablishedRedirectUri! [2]

用户映射配置

用户映射是将 spinnaker 用户字段映射为你的 Identity Provider 的用户的字段,例如如果你的 Identity Provider 字段如下所示

json
1
2
3
4
5
6

{
  "user": "fmercury",
  "mail": "fmercury@queen.com",
  "fName": "Freddie",
  "lName": "Mercury"
}

那么你的用户映射应该配置如下

yaml
1
2
3
4
5

userInfoMapping:
  email: mail
  firstName: fName
  lastName: lName
  username: user

一个完整的 keycloak 配置如下

yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

oauth2:
    enabled: true
    client:
      clientId: {your keycloak client id}
      clientSecret: {your keycloak client secret}
      # accessTokenUri 内部可以访问即可
      accessTokenUri: http://{your keycloak url}/realms/{your realm name}/protocol/openid-connect/token
      # userAuthorizationUri 是需要内外都可以访问才行
      userAuthorizationUri: http://{your keycloak url}/realms/{your realm name}/protocol/openid-connect/auth
      scope: profile,email,roles
     # 取消了该选项
     # 必须外网跳转地址
     # preEstablishedRedirectUri: http://{your keycloak url}/realms/test/protocol/openid-connect/logout?redirect_uri=http://{your_spinnaker_gate_domain}/login
     # preEstablishedRedirectUri: http://{your_spinnaker_gate_domain}/login
    resource:
      # 只需要内部访问
      userInfoUri: http://{your keycloak url}/realms/{your realm name}/protocol/openid-connect/userinfo
    userInfoMapping:
      email: email
      firstName: given_name
      lastName: family_name
      username: preferred_username
     # roles: group # 该选项无法识别
    provider: OTHER

上门提到内部访问为 spinnaker 服务间调用;外部访问为,用户浏览器可以跳转到的地址

使用命令行配置上面的信息

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

keycloak_url=keycloak.example.com
realm_name=example
gate_external_url=gate-api.example.com

hal config security authn oauth2 edit --client-id {client_name} --no-validate
hal config security authn oauth2 edit --client-secret {token} --no-validate
hal config security authn oauth2 edit --user-authorization-uri https://${keycloak_url}/auth/realms/${realm_name}/protocol/openid-connect/auth --no-validate
hal config security authn oauth2 edit --access-token-uri https://${keycloak_url}/auth/realms/${realm_name}/protocol/openid-connect/token --no-validate
hal config security authn oauth2 edit --pre-established-redirect-uri https://${keycloak_url}/auth/realms/${realm_name}/protocol/openid-connect/logout?redirect_uri=http://${gate_external_url}/login --no-validate
hal config security authn oauth2 edit --scope roles,email,profile --no-validate
hal config security authn oauth2 edit --user-info-mapping-email email --no-validate
hal config security authn oauth2 edit --user-info-mapping-first-name given_name --no-validate
hal config security authn oauth2 edit --user-info-mapping-last-name lastName --no-validate
hal config security authn oauth2 edit --user-info-mapping-username preferred_username --no-validate
hal config security authn oauth2 edit --provider Other  --no-validate
hal config security authn oauth2 edit --scope roles,email,profile --no-validate
tip
最终配置完后,存在访问拿去不到user,最终改为统一的域名,域名必须保证运行spinnaker的节点可以解析到

keycloak配置

创建一个 keycloak client,名字为 Spinnaker。

image-20250419221612456

图:Client for Spinnaker
Source:https://akuity.io/blog/argo-cd-architectures-explained/

选择 openid-connect 作为客户端协议

image-20250419211449365

图:Realm configuration

Root URL should be our Spinnaker URL. When we click save, we will get a lot of other options to configure. Then we have to configure a Valid Redirect URI. This is the URI that Keycloak redirects users when the authentication is completed successfully. This should be our Spinnaker gate public URI.

下面配置他的跳转 URL,ROOT URL 是 Spinnaker URL, Valid Redirect URI 是在完成认证后,为用户重定向的 URI,通常配置为 ‘/*’

image-20250421095646895

图:Client Valid Redirect URI
Source:https://akuity.io/blog/argo-cd-architectures-explained/

最后配置 Access Type 为 “confidential”,选择 “Credentials” 并配配置为 “client id and secret” ,这里的 secret 将用于上面 spinnaker 中的配置。

image-20250425232531493

图:Client credentials tab
Source:https://akuity.io/blog/argo-cd-architectures-explained/

拷贝 “secret” 部分的“密钥”配置到 spinnaker中。

yaml
1
2
3
4
5

oauth2:
    enabled: true
    client:
      clientId: {your keycloak client id}
      clientSecret: {your keycloak client secret}

Reference

[1] Authentication Architecture

[2] OAuth 2.0

[3] OAuth 2.0 Configuration

[4] OAuth 2.0 Configuration