Exposing Spinnaker Sub-Services: Use Apache to Get a Reverse Proxy to All the Internal Sub-Systems

Aug 22, 2016 by Ben Mappen

Spinnaker is a new continuous delivery tool developed originally by Netflix and supported by over 30 developers from Google, Pivotal, Netflix and Microsoft.

Out of the box it comes with very strict control and binds everything to localhost/loopback/127.0.0.1 such that none of it’s sub-services are accessible from an outside machine for security. But in many cases machines are already within a VPN/VPC and services can be free to bind to their IP.

Here are the steps to use Apache to get a reverse proxy to all the internal sub-systems.


aws ec2 run-instances \
--iam-instance-profile Arn=${BASE_IAM_ARN} \
--profile armory \
--image-id ami-01718261 \
--count 1 \
--instance-type m4.xlarge \
--key-name `${SPKR_KEYPAIR} \
--security-group-ids ${SG_ID} \
--region us-west-2

You’ll need to create a ${BASE_IAM_ARN} for Spinnaker to use to create instances and have the correct permissions. Throughout Spinnaker’s documentation you’ll see this called ‘BaseIAMRole’. You’ll also need to create a private/public keypair ${SPKR_KEYPAIR} specific for Spinnaker so that it can log into machines and bake images. You’ll also probably want to put Spinnaker in it’s own security group, so make sure to specify a security group id ${SG_ID}.

You’ll also need to have an m4.xlarge at first because of the memory requirements of Spinnaker. In another post we’ll follow up on how to reduce the memory requirements.

Configure Apache

You’ll first need to get Apache to listen on the all IPv4 addresses on the local machine as currently it only listens to 127.0.0.1.

Start by editing the spinnaker configuration file:
sudo vi /etc/apache2/sites-enabled/spinnaker.conf

Change: <VirtualHost 127.0.0.1:9000> to the following: <VirtualHost 0.0.0.0:9000>

restart Apache so the change can take affect

sudo service apache2 restart

Next you’ll want to make sure that the primary account is enabled and set to the correct roles. Start by editing the local yaml file

sudo vi /opt/spinnaker/config/spinnaker-local.yml

providers:
  aws:
    enabled: true
    defaultRegion: us-west-2
    defaultIAMRole: BaseIAMRole
    primaryCredentials:
      name:test-account

You’ll notice we placed a ‘test-account’ as the primary credentials name. We strongly advise creating a test account within AWS for pilots.

Update Deck

Deck is the system that sits in front of all of the subsystems and is the presentation layer for Spinnaker. We will need to tell Deck that it’s no longer listening to localhost and instead the ec2 service hostname.

deck:
    baseUrl: http://{YOUREC2HOSTNAME}:9000
    gateUrl: ${services.deck.baseUrl}/gate
    bakeryUrl: ${services.deck.baseUrl}/rosco

You can find your EC2 host name in your AWS dashboard. The final step is to reset deck

sudo /opt/spinnaker/bin/reconfigure_spinnaker.sh

You should now be able to access your host on port 9000 from the hostname you gave it earlier {YOUREC2HOSTNAME} given in the update deck step.

Let us know if you run into any problems!

Recently Published Posts

3 Common Spinnaker Challenges (and Easy Ways to Solve Them)

Sep 27, 2022

Spinnaker is the most powerful continuous delivery tool on the market.  DevOps engineers and developers recognize this power and are looking to use Spinnaker as a foundational tool in their Continuous Integration and Continuous Delivery (CI/CD) process for hybrid and multi-cloud deployments. Such a powerful, expansive open source tool needs expertise within your organization to […]

Read more

Streamline Advanced Kubernetes Deployments from GitHub Actions with New Armory Service

Sep 23, 2022

Today, Armory is excited to announce the availability of the GitHub Action for Armory Continuous Deployment-as-a-Service. GitHub is where developers shape the future of software. After a developer writes and tests their code in GitHub, it must be deployed. Armory’s GitHub Action for Continuous Deployment-as-a-Service extends the best-in-class deployment capabilities to Kubernetes. CD-as-a-Service enables declarative […]

Read more

When everyone is facing the same headwind, go on the offensive

Sep 12, 2022

Call me Pollyanna, but what a great time to be a Platform or DevOps engineer. If you’re working in a public company, the S&P is off ~20% year over year, so the value of your RSUs has wilted. If you’re working in a private company, venture funding and M&A velocity are anemic, making expansion capital […]

Read more