Charts: How to setup Spinnaker with Ingress?

@viglesiasce do you happen to know how to solve this?

@pluttrell thanks for raising this. It would be incredibly valuable to get this working as implement as part of the chart

Conversation for spinnaker kubernetes channel

@lwander I'm not sure what you meant by "reverse proxy the API through gate". And I don't have direct access to settings.js as I've installed Spinnaker via the helm chart. The chart appears to have installed properly but Spinnaker is of no use to our team if in order to access the UI, you have to run `kubectl proxy` or `kubectl port-forward`, so I'm trying to figure out how to setup an Ingress for it. Attempt 1 above doesn't work. Checkout the screenshots of Spinnaker partially working here: https://github.com/kubernetes/charts/issues/678

How to setup Spinnaker with Ingress? · Issue #678 · kubernetes/charts · GitHub
charts - Curated applications for Kubernetes

[11:17]  
In looking at https://github.com/spinnaker/deck/blob/master/settings.js#L4, I see that it would also take the API_HOST env variable, but there's no way to set that through the chart.
github.com
deck/settings.js at master · spinnaker/deck · GitHub
deck - Management UI for Spinnaker

lwander [11:18 AM]
i'm not very familiar with helm, but can't you edit this file prior to deployment? https://github.com/kubernetes/charts/blob/master/stable/spinnaker/config/settings.js

sorry, I meant "reverse proxy the API through deck" to elaborate, deck is the component serving the UI via apache2. I'm not too familiar with how the helm chart works, but the end result of what you need is an apache2 entry that looks like this: https://github.com/spinnaker/spinnaker/blob/206e93e5abbde7dbc792e9c20cefd23024ffd110/etc/apache2/sites-available/spinnaker.conf, and the changes i pointed out above made to the settings.js file in the helm chart
github.com
charts/settings.js at master · kubernetes/charts · GitHub
charts - Curated applications for Kubernetes
github.com
spinnaker/spinnaker.conf at 206e93e5abbde7dbc792e9c20cefd23024ffd110 · spinnaker/spinnaker · GitHub
spinnaker - Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes with high velocity and confidence.

pluttrell [11:22 AM]
I don't believe that I can edit specific files prior to deployment with helm, but I will check with that team. There are predefined values, that you can change, but there's nothing related.

The problem is almost certainly the fact that the service returned for gate is on localhost. See this.

https://github.com/spinnaker/spinnaker/blob/206e93e5abbde7dbc792e9c20cefd23024ffd110/etc/apache2/sites-available/spinnaker.conf

I've played around with this a little bit and was unable to get a working solution without running the kubectl port-forward for gate locally. Any ideas if there is a document around for running spinnaker behind a reverse proxy?

This document may be helpful -- http://blog.armory.io/exposing-spinnaker-sub-services-through-a-reverse-proxy/

The armory.io instructions look like they'd work if you're deploying Spinnaker on dedicated EC2 instances, where the IP and/or hostname won't change. Not sure how easily they can be adapted to k8s deployments where many of the assumptions deploying on dedicated EC2 instances can't be relied upon.

Hopefully, the Spinnaker chart can be enhanced soon to support an Ingress, so these internal details are hidden from users of the chart. The port-forwards that it requires only stay up for 1-2 minutes for me and aren't a feasible way to use Spinnaker in a team based environment.

@pluttrell I bumped into this issue earlier. Here's what I did:

1) Created a values.yaml file with:

deck:
  host: spinnaker.ops.hostname.com
  port: 443
  protocol: https

gate:
  allowedOriginPattern: https?://(?:spinnaker\.ops\.hostname\.com|localhost(?::[1-9]\d*)?/?$

2) Create an ingress in that namespace. Here's my example using kube-lego.

I setup the helm installation with an AWS Loadbalancer as entry point like this.

I delete the service my-app-spinnaker-deck and created an own one. "my-app" must be replaced by whatever name you gave to the spinnaker helm release:

apiVersion: v1
kind: Service
metadata:
  labels:
    name: my-app-deck
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: deck
  - name: ninethousand
    port: 9000
    protocol: TCP
    targetPort: deck
  selector:
    app: my-app-spinnaker
    component: deck
  sessionAffinity: None
  type: LoadBalancer

I changed the allowedOriginPattern in the values.yaml, to avoid Allow-Origin-Exceptions in Browser to:

deck:
  host: spinnaker.example.com
  port: 9000
  protocol: http

gate:
  allowedOriginsPattern: '^https?://(?:localhost|spinnaker.example\.com)(?::[1-9]\d*)?/?$'

This only works (for now) with spinnaker.example.com:9000... did not get it work with spinnaker.example.com yet

Hi @pluttrell is this still an issue?

@seanknox I've just set up Spinnaker and I have the same problem, I run a private VPC and I couldn't yet figure out how to configure an Ingress for it, so basically it's running but I can't connect to it.

I faced the same problem. I changed service for Deck from ClusterIP to NodePort, gave a a fixed port number and updated the gate.yaml to use the same and everyone in the team was able to connect using that NodePort IP.

Hi,
For anyone wanting to get this working with CoreOS's ALB controller, just grab the default values.yaml from the stable branch of this chart and modify the deck and serviceType config like so:

# Change this if youd like to expose Spinnaker outside the cluster
deck:
  host: spinnaker.example.co.uk
  port: 9000
  protocol: http
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: "my-alb-class"
      alb.ingress.kubernetes.io/port: "443"
      alb.ingress.kubernetes.io/subnets: subnet-XXXXXXXX,subnet-XXXXXXXX,subnet-XXXXXXX
      alb.ingress.kubernetes.io/security-groups: sg-XXXXXXXX
      alb.ingress.kubernetes.io/scheme: internet-facing
      external-dns.alpha.kubernetes.io/hostname: spinnaker.example.co.uk.
      alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-west-1:XXXXXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

gate:
  allowedOriginsPattern: '^https?://(?:localhost|127.0.0.1|[^/]+\.example\.com)(?::[1-9]\d*)?/?$'

# Bucket to use when storing config data in S3 compatible storage.  DO NOT USE "spinnaker"
storageBucket: SomeBucketName

# Change service type for UI service
serviceType: NodePort

Should be enough to get you going. Good Luck!

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@pluttrell...interested to know how you resolved the issue? I am having same issue which you faced and look ing for some solution