Private GKE with restricted access to cluster master endpoints
A guide to private Google Kubernetes Engine cluster with different level of restricted access to cluster master endpoints
When setting up TLS encryption for Deck and Gate (the UI and API) for Spinnaker, if you have a load balancer (service, ingress, etc.) in front of your Deck/Gate that are terminating TLS and forwarding communications insecure to the Spinnaker microservices, sometimes the authentication process will redirect to the incorrect path.
For example, if you have LDAP set up and the following flow:
Then you’ll likely get two invalid redirects - one to your gate address on HTTP and one on your deck address on HTTP. This is regardless of your
One option to try is to add/create
server: tomcat: protocolHeader: X-Forwarded-Proto remoteIpHeader: X-Forwarded-For internalProxies: .* httpsServerPort: X-Forwarded-Port
hal deploy apply, and clear / update your cache).
Alternately, you can do the following:
There are a number of ongoing projects to improve this behavior (for example, when working with OAuth2.0, you can specify a
preEstablishedRedirectUri via the
In the interim, you can work around this issue by putting a self-signed certificate on Deck and Gate. This requires two steps:
pemformat) and Gate (in
jksformat), and configure them to use them. You can follow the official documentation for this here.
metadata: annotations: alb.ingress.kubernetes.io/backend-protocol: "HTTPS" alb.ingress.kubernetes.io/healthcheck-protocol: "HTTPS"