The procedure in this topic describes how to deploy Dex on a Tanzu Kubernetes Grid management cluster that is running in vSphere, if your identity provider is OIDC.

Prerequisites

Procedure

  1. Open the Dex configuration map file tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml
    
  2. Update tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml as follows:

    • Replace two instances of <MGMT_CLUSTER_IP> with the IP address of one of the control plane nodes of your management cluster.
    • Replace one instance of <OIDC_IDP_URL> with the IP or DNS address of the OIDC server.
  3. Create a secret file from the provided example.

    cp tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-0-secret.example tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-0-secret.yaml
    
  4. Open the OIDC secret file in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-0-secret.yaml
    
  5. Replace <CLIENT_ID> and <CLIENT_SECRET> with Base64 values client_id and secret that you obtain from your OIDC provider.

    For example, if your provider is Okta, log in to Okta, create a Web application, and select the Client Credentials options in order to get a client_id and secret.

  6. Set the focus of kubectl to the context of your management cluster.

    For example, if your cluster is named my-cluster, run the following command.

    kubectl config use-context my-cluster-admin@my-cluster
    
  7. Apply all of the created the YAML files to your management cluster.

    1. Create a namespace in your management cluster for the authentication service.
      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/01-namespace.yaml
      
    2. Generate a self-signed certificate.
      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/02-certs-selfsigned.yaml
      
    3. Connect to your OIDC server.
      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml
      
    4. Configure Role-Based Access Control (RBAC).
      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/04-rbac.yaml
      
    5. Deploy Dex.
      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-deployment.yaml
      
    6. Start the service.
      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/06-service.yaml
      
  8. Run kubectl get pods --namespace tanzu-system-auth to see the pod that is running the Dex service.

    The service is running in a pod with a name similar to dex-6849555c67-bqmpd.

What to Do Next

Deploy an Authentication-Enabled Cluster, that has an embedded OIDC endpoint that can connect to your OIDC provider.

check-circle-line exclamation-circle-line close-line
Scroll to top icon