Custom CAs for Webhooks

Webhook stages enable Spinnaker to make HTTP(S) calls to external web services. If the configured webhook URL has the scheme, Spinnaker will use TLS to communicate with the external server. Spinnaker will attempt to validate the certificate presented by the server by building a chain of trust back to a trusted certification authority (CA) and will refuse to connect if the certificate cannot be validated.

By default Spinnaker uses the trust store provided by the JVM as its source of trusted CAs. The default behavior is sufficient for webhooks to public-facing servers where it is possible to build a chain of trust back to a root CA. Internal servers, however, may have certificates issued by a company-specific CA that is not trusted by a root CA. Webhooks to these servers over https:// will fail using the default configuration.

Create a trust store in Java KeyStore (JKS) format via:

where is the path to the certificate for the CA you’d like to trust in PEM format, <name-of-first-ca> is an arbitrary alias for that CA, and is the name of a keystore that will be created.

After creating the key store with the above command, you can add additional CAs to the keystore by running the same command but supplying a different CA certificate and alias. You’ll be prompted for the keystore password before the new CA can be added. As this trust store will augment the default trust store, you don’t need to add all of the root CAs to this custom trust store; only CAs that are not in the default trust store need to be added.

The first command will prompt for the trust store password on standard input.