{"id":3482,"date":"2018-04-06T09:33:58","date_gmt":"2018-04-06T01:33:58","guid":{"rendered":"http:\/\/switch.linesno.com\/?p=3482"},"modified":"2018-04-06T09:39:42","modified_gmt":"2018-04-06T01:39:42","slug":"exposing-spinnaker-to-end-users","status":"publish","type":"post","link":"http:\/\/switch.linesno.com\/?p=3482","title":{"rendered":"Exposing Spinnaker to End Users"},"content":{"rendered":"

One of the things we are commonly asked in the\u00a0Spinnaker chat room<\/a>\u00a0is \u201cHow do I open\u00a0Spinnaker<\/a>\u00a0up to end users?\u201d<\/p>\n

The answer depends on how you deploy Spinnaker\u200a\u2014\u200awith a\u00a0Local or Distributed environment<\/a>.<\/p>\n

This post focuses on a Local environment. To prevent inadvertently exposing your cloud infrastructure to the whole world, Halyard installs Spinnaker in its most locked-down form. This means all services only bind to\u00a0localhost<\/code>\u00a0, which only accepts connections from inside the same server.<\/p>\n

On the other hand, Distributed environment services bind to\u00a00.0.0.0<\/code>\u00a0, which allows them to receive requests from services running on different hosts. This is essential to scaling Spinnaker to large enterprise deployments as a high-availability service. The diagram below outlines Spinnaker\u2019s\u00a0micro-service architecture<\/a>.<\/p>\n

\n
\n
<\/div>\n
<\/canvas><\/div>\n<\/div>
All Spinnaker micro-services can run on a single host in a Local environment, or each on its own host in a Distributed environment.<\/figcaption><\/figure>\n

Starting Point<\/h3>\n

Because we\u2019re focusing on the Local environment, we must first have a VM with all of Spinnaker installed. The \u201cHalyard on GCE Quickstart<\/a>\u201d guide is a great way to get a Halyard-enabled instance up and running.<\/p>\n

(Semi-Optional) Load Balancer and DNS\u00a0Entries<\/h3>\n

It is generally a good practice to front a service with its own load balancer, so that you can change the backing implementation (say, when a\u00a0new version<\/a>\u00a0of Spinnaker is released) without changing the way clients connect to it. A load balancer will have a (usually static) IP address that we can bind to a DNS name. More details on configuring static IPs and connecting them to DNS can be found\u00a0here<\/a>.<\/p>\n

This step is only semi-optional because most users are going to want to hook up an authentication mechanism like OAuth 2.0, which doesn\u2019t work with raw IP addresses on some OAuth providers.<\/p>\n

Opening Gate and\u00a0Deck<\/h3>\n

With DNS entries configured, we can now open Gate and Deck for external access. To do this for a Local environment, we need to hook into the\u00a0custom service settings<\/a>\u00a0feature of Halyard.<\/p>\n

We\u2019ll specify the\u00a00.0.0.0<\/code>\u00a0host in both\u00a0gate.yml<\/code>\u00a0and\u00a0deck.yml<\/code>\u00a0in our\u00a0default<\/code>\u00a0Halyard deployment with this command:<\/p>\n

echo \"host: 0.0.0.0\" | tee \\\r\n    ~\/.hal\/default\/service-settings\/gate.yml \\\r\n    ~\/.hal\/default\/service-settings\/deck.yml<\/pre>\n
sudo hal deploy apply<\/pre>\n
You can test this out by navigating to the instance\u2019s public IP address on port\u00a09000<\/code>\u00a0in your browser.<\/p>\n
Note: You may need to take further action by editing your Security Groups in order to access your instance. For example, a Google Compute Engine instance needs a firewall rule that allows ports 8084 and 9000 through. You can create these with the following commands:<\/p><\/blockquote>\n
INSTANCE= # put your instance's name here\r\nTAGNAME=blogpost<\/pre>\n
gcloud compute firewall-rules create $TAGNAME-1 \\\r\n    --allow=tcp:8084,tcp:9000 \\\r\n    --target-tags $TAGNAME<\/pre>\n
gcloud compute instances add-tags $INSTANCE --tags=$TAGNAME<\/pre>\n
Map to your DNS\u00a0address<\/h4>\n
Gate and Deck are now listening for all connections, and the security groups are permitting access to ports 8084 and 9000. The last thing is configuring Gate and Deck to talk to each other over their DNS names instead of IP address. This is accomplished with the following commands:<\/p>\n
hal config security ui edit \\\r\n    --override-base-url http:\/\/spinnaker.mydomain.org:9000\r\n\r\nhal config security api edit \\\r\n    --override-base-url http:\/\/spinnaker.mydomain.org:8084<\/code><\/pre>\n
hal deploy apply<\/pre>\n
Test it\u00a0out<\/h3>\n
Your Spinnaker instance should now be available and mapped to your DNS entry:<\/p>\n
\n
\n
<\/div>\n
<\/canvas><\/div>\n<\/div>\n<\/figure>\n
Now that Spinnaker is exposed for your end users, you should explore our different authentication and authorization mechanisms in the\u00a0Security<\/a>documentation.<\/p>\n","protected":false},"excerpt":{"rendered":"
One of the things we are commonly asked in the\u00a0Spinnake […]<\/p>\n","protected":false},"author":1,"featured_media":3486,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86,71],"tags":[],"class_list":["post-3482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service","category-phone"],"_links":{"self":[{"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/posts\/3482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3482"}],"version-history":[{"count":5,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/posts\/3482\/revisions"}],"predecessor-version":[{"id":3497,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/posts\/3482\/revisions\/3497"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=\/wp\/v2\/media\/3486"}],"wp:attachment":[{"href":"http:\/\/switch.linesno.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3482"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/switch.linesno.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}