The procedure in this topic describes how to deploy Dex on a Tanzu Kubernetes Grid management cluster that is running in vSphere, if your identity provider is OIDC.

• Prerequisites
• Procedure
• Deploy a Tanzu Kubernetes Cluster with OIDC Authentication
• What to Do Next

Prerequisites

• You have deployed a management cluster.
• You have downloaded and unpacked the bundle of Tanzu Kubernetes Grid extensions. For information about where to obtain the bundle, see Download and Unpack the Tanzu Kubernetes Grid Extensions Bundle.

Procedure

1. Open the Dex configuration map file tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml in a text editor.

   For example, use vi to edit the file.

   vi tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml
   

2. Update tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml as follows:

   • Replace two instances of <MGMT_CLUSTER_IP> with the IP address of one of the control plane nodes of your management cluster.
   • Replace one instance of <OIDC_IDP_URL> with the IP or DNS address of the OIDC server.

3. Create a secret file from the provided example.

   cp tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-0-secret.example tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-0-secret.yaml
   

4. Open the OIDC secret file in a text editor.

   For example, use vi to edit the file.

   vi tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-0-secret.yaml
   

5. Replace <CLIENT_ID> and <CLIENT_SECRET> with Base64 values client_id and secret that you obtain from your OIDC provider.

   For example, if your provider is Okta, log in to Okta, create a Web application, and select the Client Credentials options in order to get a client_id and secret.

6. Set the focus of kubectl to the context of your management cluster.

   For example, if your cluster is named my-cluster, run the following command.

   kubectl config use-context my-cluster-admin@my-cluster
   

7. Apply all of the created the YAML files to your management cluster.

   1. Create a namespace in your management cluster for the authentication service.

      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/01-namespace.yaml
      

   2. Generate a self-signed certificate.

      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/02-certs-selfsigned.yaml
      

   3. Connect to your OIDC server.

      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/03-cm.yaml
      

   4. Configure Role-Based Access Control (RBAC).

      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/04-rbac.yaml
      

   5. Deploy Dex.

      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/05-deployment.yaml
      

   6. Start the service.

      kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/vsphere/oidc/06-service.yaml
      

8. Run kubectl get pods --namespace tanzu-system-auth to see the pod that is running the Dex service.

   The service is running in a pod with a name similar to dex-6849555c67-bqmpd.

What to Do Next

Deploy an Authentication-Enabled Cluster, that has an embedded OIDC endpoint that can connect to your OIDC provider.