This topic describes how to deploy Dex on a Tanzu Kubernetes Grid management cluster that is running in Amazon EC2.
This release of Tanzu Kubernetes Grid supports using Dex with OIDC in management clusters that you deploy to Amazon EC2. LDAP is not supported for Amazon EC2 deployments.
tkg-extensions-manifests-v1.0.0+vmware.1.tar.gz
.Set the focus of kubectl
to the context of your management cluster.
For example, if your cluster is named my-management-cluster
, run the following command.
kubectl config use-context my-management-cluster-admin@my-management-cluster
Create a namespace named tanzu-system-auth
in your management cluster for the authentication service.
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/01-namespace.yaml
Create the Dex service
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/02-service.yaml
Get the hostname of the load balancer of the Dex service.
kubectl get svc dexsvc -n tanzu-system-auth -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
Open 03-certs-selfsigned.yaml
in a text editor.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/03-certs-selfsigned.yaml
<DEX_SVC_LB_HOSTNAME>
with the hostname of the load balancer of the Dex service, from the previous step.Create the self-signed certificate.
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/03-certs-selfsigned.yaml
Open Dex configuration map file, 04-cm.yaml
, in a text editor.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/04-cm.yaml
Update 04-cm.yaml
with information about your load balancer and OIDC provider.
<DEX_SVC_LB_HOSTNAME>
with the hostname of the load balancer of the Dex service.<OIDC_IDP_URL>
with the IP or DNS address of the your OIDC provider, for example an Okta server.Apply the configuration map to the cluster.
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/04-cm.yaml
Configure Role-Based Access Control (RBAC).
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/05-rbac.yaml
Create a secret file from the provided example.
cp tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.example tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.yaml
Open the OIDC secret file in a text editor.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.yaml
Replace <CLIENT_ID>
and <CLIENT_SECRET>
with Base64 values client_id
and secret
that you obtain from your OIDC provider.
For example, if your provider is Okta, log in to Okta, create a Web application, and select the Client Credentials options in order to get a client_id
and secret
.
Pass the secret to the cluster.
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.yaml
Create the Dex deployment.
kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-deployment.yaml
Run kubectl get pods --namespace tanzu-system-auth
to see the pod that is running the Dex service.
The service is running in a pod with a name similar to dex-6849555c67-bqmpd
.
Deploy an Authentication-Enabled Cluster, that has an embedded OIDC endpoint that can connect to your OIDC provider.