Set up Oauth Authentication with BitBucket

[aleon1220]

I am running minnaker in AWs EC2.

Basically i have followed steps from https://www.spinnaker.io/setup/security/authentication/oauth/#bring-your-own-provider

In the step to "manually set the redirect_uri for Gate" hal config security authn oauth2 edit --pre-established-redirect-uri https://my-real-gate-address.com:8084/login is my-real-gate-address.com my public IP??

Here is detail to my configs: hal config

name: default
version: 1.18.7
providers:
  appengine:
    enabled: false
    accounts: []
  aws:
    enabled: true
    accounts:
    - name: deref-master-managing
      requiredGroupMembership: []
      providerVersion: V1
      permissions: {}
      accountId: 'SECRET'
      regions:
      - name: us-east-1
      - name: ap-southeast-1
      - name: ap-southeast-2
      assumeRole: role/SpinnakerManagedRoleAccount
      lifecycleHooks: []
    - name: deref-systest
      requiredGroupMembership: []
      providerVersion: V1
      permissions: {}
      accountId: 'SECRET'
      regions:
      - name: us-east-1
      - name: ap-southeast-1
      - name: ap-southeast-2
      assumeRole: role/SpinnakerManagedRoleAccount
      lifecycleHooks: []
    - name: deref-sectest
      requiredGroupMembership: []
      providerVersion: V1
      permissions: {}
      accountId: 'SECRET'
      regions:
      - name: us-east-1
      - name: ap-southeast-1
      - name: ap-southeast-2
      assumeRole: role/SpinnakerManagedRoleAccount
      lifecycleHooks: []
    primaryAccount: deref-master-managing
    bakeryDefaults:
      baseImages: []
    accessKeyId: SECRET
    secretAccessKey: SECRET/SECRET+SECRET/SECRET
    defaultKeyPairTemplate: '{{name}}-keypair'
    defaultRegions:
    - name: us-west-2
    defaults:
      iamRole: BaseIAMRole
  ecs:
    enabled: false
    accounts: []
  azure:
    enabled: false
    accounts: []
    bakeryDefaults:
      templateFile: azure-linux.json
      baseImages: []
  dcos:
    enabled: false
    accounts: []
    clusters: []
  dockerRegistry:
    enabled: false
    accounts: []
  google:
    enabled: false
    accounts: []
    bakeryDefaults:
      templateFile: gce.json
      baseImages: []
      zone: us-central1-f
      network: default
      useInternalIp: false
  huaweicloud:
    enabled: false
    accounts: []
    bakeryDefaults:
      baseImages: []
  kubernetes:
    enabled: true
    accounts:
    - name: spinnaker
      requiredGroupMembership: []
      providerVersion: V2
      permissions: {}
      dockerRegistries: []
      serviceAccount: true
      cacheThreads: 1
      namespaces: []
      omitNamespaces: []
      kinds: []
      omitKinds: []
      customResources: []
      cachingPolicies: []
      onlySpinnakerManaged: true
    primaryAccount: spinnaker
  oracle:
    enabled: false
    accounts: []
    bakeryDefaults:
      templateFile: oci.json
      baseImages: []
  cloudfoundry:
    enabled: false
    accounts: []
deploymentEnvironment:
  size: SMALL
  type: Distributed
  accountName: spinnaker
  imageVariant: SLIM
  updateVersions: true
  consul:
    enabled: false
  vault:
    enabled: false
  location: spinnaker
  customSizing: {}
  sidecars: {}
  initContainers: {}
  hostAliases: {}
  affinity: {}
  tolerations: {}
  nodeSelectors: {}
  gitConfig:
    upstreamUser: spinnaker
  livenessProbeConfig:
    enabled: false
  haServices:
    clouddriver:
      enabled: false
      disableClouddriverRoDeck: false
    echo:
      enabled: false
persistentStorage:
  persistentStoreType: s3
  azs: {}
  gcs:
    rootFolder: front50
  redis: {}
  s3:
    bucket: spinnaker
    rootFolder: front50
    pathStyleAccess: true
    endpoint: http://minio.spinnaker:9000
    accessKeyId: minio
    secretAccessKey: SECRET+SECRET/SECRET
  oracle: {}
features:
  auth: false
  fiat: false
  chaos: false
  entityTags: false
  artifacts: true
metricStores:
  datadog:
    enabled: false
    tags: []
  prometheus:
    enabled: false
    add_source_metalabels: true
  stackdriver:
    enabled: false
  newrelic:
    enabled: false
    tags: []
  period: 30
  enabled: false
notifications:
  slack:
    enabled: false
  twilio:
    enabled: false
    baseUrl: https://api.twilio.com/
  github-status:
    enabled: false
timezone: America/Los_Angeles
ci:
  jenkins:
    enabled: false
    masters: []
  travis:
    enabled: false
    masters: []
  wercker:
    enabled: false
    masters: []
  concourse:
    enabled: false
    masters: []
  gcb:
    enabled: false
    accounts: []
repository:
  artifactory:
    enabled: false
    searches: []
security:
  apiSecurity:
    ssl:
      enabled: false
    overrideBaseUrl: https://SECRETPUBLIC_IP/api/v1
  uiSecurity:
    ssl:
      enabled: false
    overrideBaseUrl: https://SECRETPUBLIC_IP
  authn:
    oauth2:
      enabled: true
      client:
        clientId: SECRET
        clientSecret: SECRET
        useCurrentUri: false
      resource: {}
      userInfoMapping: {}
    saml:
      enabled: false
      userAttributeMapping: {}
    ldap:
      enabled: false
    x509:
      enabled: false
    iap:
      enabled: false
    enabled: true
  authz:
    groupMembership:
      service: EXTERNAL
      google:
        roleProviderType: GOOGLE
      github:
        roleProviderType: GITHUB
      file:
        roleProviderType: FILE
      ldap:
        roleProviderType: LDAP
    enabled: false
artifacts:
  bitbucket:
    enabled: false
    accounts: []
  gcs:
    enabled: false
    accounts: []
  oracle:
    enabled: false
    accounts: []
  github:
    enabled: false
    accounts: []
  gitlab:
    enabled: false
    accounts: []
  gitrepo:
    enabled: false
    accounts: []
  http:
    enabled: true
    accounts: []
  helm:
    enabled: false
    accounts: []
  s3:
    enabled: false
    accounts: []
  maven:
    enabled: false
    accounts: []
  templates: []
pubsub:
  enabled: false
  google:
    enabled: false
    pubsubType: GOOGLE
    subscriptions: []
    publishers: []
canary:
  enabled: false
  serviceIntegrations:
  - name: google
    enabled: false
    accounts: []
    gcsEnabled: false
    stackdriverEnabled: false
  - name: prometheus
    enabled: false
    accounts: []
  - name: datadog
    enabled: false
    accounts: []
  - name: signalfx
    enabled: false
    accounts: []
  - name: aws
    enabled: false
    accounts: []
    s3Enabled: false
  - name: newrelic
    enabled: false
    accounts: []
  reduxLoggerEnabled: true
  defaultJudge: NetflixACAJudge-v1.0
  stagesEnabled: true
  templatesEnabled: true
  showAllConfigsEnabled: true
plugins:
  plugins: []
  enabled: false
  downloadingEnabled: false
  pluginConfigurations:
    plugins: {}
webhook:
  trust:
    enabled: false
telemetry:
  enabled: true
  endpoint: https://stats.spinnaker.io
  instanceId: SECRET
  connectionTimeoutMillis: 3000
  readTimeoutMillis: 5000

~/.hal/default/profiles/settings-local.js

window.spinnakerSettings.feature.artifactsRewrite = true;

~/.hal/default/profiles/gate-local.yml

server:
  servlet:
    context-path: /api/v1
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*
    httpsServerPort: X-Forwarded-Port

security:
  basicform:
    enabled: false
  oauth2:
    client:
      clientId:
      clientSecret:
      userAuthorizationUri: https://bitbucket.org/site/oauth2/authorize
      accessTokenUri: https://bitbucket.org/site/oauth2/access_token
      scope: ""
    resource:
      userInfoUri: https://api.bitbucket.org/2.0/user
    userInfoMapping: # Used to map the userInfo response to our User
      email: email
      username: username

But interestingly enough take a look at the gate.yml inside the Gate Pod It has BASIC security still enabled. how do i disable it?

/opt/spinnaker/config/gate.yml

## WARNING
## This file was autogenerated, and _will_ be overwritten by Halyard.
## Any edits you make here _will_ be lost.

spectator:
  applicationName: ${spring.application.name}
  webEndpoint:
    enabled: false

server:
  ssl:
    enabled: false
  port: '8084'
  address: 0.0.0.0
security:
  basic:
    enabled: true
  user: {}
  oauth2:
    enabled: true
    client:
      clientId: SECRET
      clientSecret: SECRET
      useCurrentUri: false
    resource: {}
    userInfoMapping: {}
cors: {}
google: {}

integrations:
  gremlin:
    enabled: false
    baseUrl: https://api.gremlin.com/v1

# halconfig

redis:
  connection: ${services.redis.baseUrl:redis://localhost:6379}

In Spinnaker UI it always shows as anonymous! Please help

[aleon1220]

I have an update on this: Thank God Bitbucket Oauth is working now in my 2 Minnaker instances. Here is what i did:

• Created a new EC2 instance in Sydney c5.xlarge and deployed minnaker latest from github. I notice the new minnaker has a mariadb pod
• checked the EC2 instance type and system is using only 44% memory which is alright by me
• set up Oauth
• Disabled basic auth with user name and pass

I found 2 distinct set of files Ubuntu system spinnaker config files and Halyard Spinnaker config files I modified both sets of files whenever required

For Ubuntu system spinnaker config files

1. vim /etc/spinnaker/templates/profiles/front50-local.yml spinnaker.s3.versioning: false

2. vim /etc/spinnaker/templates/profiles/settings-local.js window.spinnakerSettings.feature.kustomizeEnabled = true; 3. vim /etc/spinnaker/templates/profiles/gate-local.yml

server:
  servlet:
    context-path: /api/v1
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*
    httpsServerPort: X-Forwarded-Port

security:
  oauth2:
    client:
      userAuthorizationUri: https://bitbucket.org/site/oauth2/authorize
      accessTokenUri: https://bitbucket.org/site/oauth2/access_token
      scope: ""
    resource:
      userInfoUri: https://api.bitbucket.org/2.0/user
    userInfoMapping: # Used to map the userInfo response to our User
      email: email
      username: username

4. vim /etc/spinnaker/templates/service-settings/gate.yml healthEndpoint: /api/v1/health

For Halyard Spinnaker config files (inside Halyard Pod) 1. vi ~/.hal/default/profiles/gate-local.yml

server:
  servlet:
    context-path: /api/v1
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*
    httpsServerPort: X-Forwarded-Port
security:
  oauth2:
    client:
      userAuthorizationUri: https://bitbucket.org/site/oauth2/authorize
      accessTokenUri: https://bitbucket.org/site/oauth2/access_token
      scope: ""
    resource:
      userInfoUri: https://api.bitbucket.org/2.0/user
    userInfoMapping: # Used to map the userInfo response to our User
      email: email
      username: username

[aleon1220]

The issue has been resolved in the OSS project. Refer to my comment above for more details.

[aleon1220]

The issue has been resolved in the OSS project. Refer to my comment above for more details.