Integrate your Azure Active Directory

This topic tells you how to integrate your Azure Active Directory (commonly known as AD).

Integrate Azure AD with a new or existing AKS without Pinniped

Perform the following procedures to integrate Azure AD with a new or existing AKS without Pinniped.

Prerequisites

Download and install the Azure CLI.

Set up a platform operator

To set up a platform operator:

1. Navigate to the Azure Active Directory Overview page.

2. Select Groups under the Manage side menu.

3. Identify or create an admin group for the AKS cluster.

4. Retrieve the object ID of the admin group.

5. Take one of the following actions.

   • Create an AKS Cluster with Azure AD enabled by running:

     az group create --name RESOURCE-GROUP --location LOCATION
     az aks create -g RESOURCE-GROUP -n MANAGED-CLUSTER --enable-aad --aad-admin-group-object-ids OBJECT-ID
     

     Where:

     • RESOURCE-GROUP is your resource group
     • LOCATION is your location
     • MANAGED-CLUSTER is your managed cluster
     • OBJECT-ID is the object ID

   • Enable Azure AD integration on the existing cluster by running:

     az aks update -g RESOURCE-GROUP -n MANAGED-CLUSTER --enable-aad --aad-admin-group-object-ids OBJECT-ID
     

     Where:

     • RESOURCE-GROUP is your resource group
     • MANAGED-CLUSTER is your managed cluster
     • OBJECT-ID is the object ID

6. Add Platform Operators to the admin group.

7. Log in to the AKS cluster by running:

   az aks get-credentials --resource-group RESOURCE-GROUP --name MANAGED-CLUSTER --admin
   

   Where:

   • RESOURCE-GROUP is your resource group
   • MANAGED-CLUSTER is your managed cluster

Set up a Tanzu Application Platform default role group

To set up a Tanzu Application Platform default role group:

1. Navigate to the Azure Active Directory Overview page.

2. Select Groups under the Manage side menu.

3. Identify or create a list of groups in the Azure AD for each of the Tanzu Application Platform default roles (app-operator, app-viewer, and app-editor).

4. Retrieve the corresponding object IDs for each group.

5. Add users to the groups accordingly.

6. For each object ID retrieved earlier, use the Tanzu CLI RBAC plug-in to bind the object id group to a role by running:

   tanzu rbac binding add -g OBJECT-ID -r TAP-ROLE -n NAMESPACE
   

   Where:

   • OBJECT-ID is the object ID
   • TAP-ROLE is the Tanzu Application Platform role
   • NAMESPACE is the namespace

Set up kubeconfig

To set up kubeconfig:

1. Set up the kubeconfig to point to the AKS cluster by running:

   az aks get-credentials --resource-group RESOURCE-GROUP --name MANAGED-CLUSTER
   

   Where:

   • RESOURCE-GROUP is your resource group
   • MANAGED-CLUSTER is your managed cluster

2. Run any kubectl command to trigger a browser login. For example:

   kubectl get pods
   

Integrate Azure AD with Pinniped

Perform the following procedures to set up Azure AD with Pinniped.

Prerequisites

Install Pinniped supervisor and concierge on the cluster without setting up the OIDCIdentityProvider and secret.

Set up the Azure AD app

To set up the Azure AD app:

1. Navigate to the Azure Active Directory Overview page.

2. Select App registrations under the Manage side menu.

3. Select New Registration.

4. Enter the name of the application. For example, gke-pinniped-supervisor-app.

5. Under Supported account types, select Accounts in this organisational directory only (VMware, Inc. only - Single tenant).

6. Under Redirect URI, select Web as the platform.

7. Enter the call URI to the supervisor. For example, https://pinniped-supervisor.example.com/callback.

8. Select Register to create the app.

9. If not already redirected, navigate to the app settings page.

10. Select Token configuration under the Manage menu.

11. Select Add groups claim > All groups (includes distribution lists but not groups assigned to the application).

12. Select Add to create the group claim.

13. Select the app name in the breadcrumb navigation to return to the app settings page.

14. Select the Endpoints tab and record the value in the OpenID Connect metadata document field.

15. Return to the app settings page.

16. Record the Application (client) ID.

17. Select Certificates & secrets under the Manage menu.

18. Create a new client secret and record this value.

19. Add the following YAML to oidc_identity_provider.yaml.

    ---
    apiVersion: idp.supervisor.pinniped.dev/v1alpha1
    kind: OIDCIdentityProvider
    metadata:
      namespace: pinniped-supervisor
      name: azure-ad
    spec:
      # Specify the upstream issuer URL.
      issuer: ISSUER-URL
    
      authorizationConfig:
        additionalScopes: ["openid", "email", "profile"]
        allowPasswordGrant: false
    
      # Specify how claims are mapped to Kubernetes identities.
      claims:
        username: preferred_username
        groups: groups
    
      # Specify the name of the Kubernetes Secret that contains your
      # application's client credentials (created below).
      client:
        secretName: azure-ad-client-credentials
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      namespace: pinniped-supervisor
      name: azure-ad-client-credentials
    type: secrets.pinniped.dev/oidc-client
    stringData:
      clientID: "AZURE-AD-CLIENT-ID"
      clientSecret: "AZURE-AD-CLIENT-SECRET"
    

    Where:

    • ISSUER-URL is the OpenID Connect metadata document URL you recorded earlier, but without the trailing /.well-known/openid-configuration
    • AZURE-AD-CLIENT-ID is the Azure AD client ID you recorded earlier
    • AZURE-AD-CLIENT-SECRET is the Azure AD client secret you recorded earlier

20. Apply your changes from the kubectl CLI by running:

    kubectl apply workspace/pinniped-supervisor/oidc_identity_provider.yaml
    

Set up the Tanzu Application Platform default role group

To set up a Tanzu Application Platform default role group:

1. Navigate to the Azure Active Directory Overview page.

2. Select Groups under the Manage side menu.

3. Identify or create a list of groups in the Azure AD for each of the Tanzu Application Platform default roles (app-operator, app-viewer, and app-editor).

4. Retrieve the corresponding object IDs for each group.

5. Add users to the groups accordingly.

6. For each object ID retrieved earlier, use kubectl to bind the object id group to a role by running:

   kubectl apply -n DEVELOPER_NAMESPACE -f - << EOF
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: TAP-ROLE
     namespace: $DEVELOPER_NAMSPACE
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: TAP-ROLE
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: Group
     name: OBJECT-ID
   EOF
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: TAP-ROLE-cluster-access
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: TAP-ROLE
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: Group
     name: OBJECT-ID
   

   Where:

   • OBJECT-ID is the object ID.
   • TAP-ROLE is the Tanzu Application Platform role.
   • DEVELOPER-NAMESPACE is the namespace for scoping the group.

For more information about binding users or groups to roles, see Bind a user or group to a default role.

Set up kubeconfig

Follow these steps to set up kubeconfig:

1. Set up kubeconfig using the Pinniped CLI by running:

   pinniped get kubeconfig --kubeconfig-context YOUR-KUBECONFIG-CONTEXT > /tmp/concierge-kubeconfig
   

   Where YOUR-KUBECONFIG-CONTEXT is your your kubeconfig context.

2. Run any kubectl command to trigger a browser login. For example:

   export KUBECONFIG="/tmp/concierge-kubeconfig"
   kubectl get pods