This procedure describes how to enable Gangway on OIDC-enabled clusters that you have deployed to Amazon EC2.
cluster-template-oidc.yaml
file, as described in Deploy an Authentication-Enabled Cluster.Set the focus of kubectl
to the OIDC-enabled cluster.
kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
Create the Gangway service.
kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/02-service.yaml
Get the host name of the Gangway service load balancer.
kubectl get svc gangwaysvc -n tanzu-system-auth -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
Edit the file tkg-extensions-v1.0.0/authentication/gangway/aws/03-config.yaml
with information about your Tanzu Kubernetes Grid instance.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/gangway/aws/03-config.yaml
<WORKLOAD_CLUSTER_NAME>
with the name of the OIDC-enabled cluster.<DEX_SVC_LB_HOSTNAME>
with the host name of the Dex service load balancer that is running in the management cluster, that you identified in the previous procedure.<GANGWAY_SVC_LB_HOSTNAME>
with the host name of the Gangway service load balancer that you obtained in the preceding step.<APISERVER_URL>
with the host name of the Kubernetes API Server endpoint for the workload cluster. This is the Bastion VM that is running in the cluster, that has a name like my-oidc-cluster-bastion
.kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/03-config.yaml
Create an openssl
client secret file from the provided example.
cp tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.example tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.yaml
Open 03-secret.yaml
in a text editor.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.yaml
At the command line, use openssl
to create a session key.
The following command uses pbcopy
to copy the output to your clipboard.
openssl rand -base64 32 | pbcopy
03-secret.yaml
, update the sesssionKey
value by pasting in the output of the previous command.Create a client secret.
Run the following commands and copy the output of the echo
command.
clientSecret=$(openssl rand -base64 32)
echo -n "$clientSecret" | base64
04-secret.yaml
, update the clientSecret
value by pasting in the output of the previous command.kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.yaml
Open tkg-extensions-v1.0.0/authentication/gangway/aws/05-cert-selfsigned.yaml
in a text editor.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/gangway/aws/05-cert-selfsigned.yaml
Replace <GANGWAY_SVC_LB_HOSTNAME>
in 05-cert-selfsigned.yaml
with the host name of the Gangway service load balancer.
Create a self-signed certificate by applying 05-cert-selfsigned.yaml
to the cluster.
kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/05-cert-selfsigned.yaml
Provide the CA for the Dex service running on management cluster to the Gangway service running in the Tanzu Kubernetes cluster.
kubectl
to the context of the management cluster. kubectl config use-context my-management-cluster-admin@my-management-cluster
Get the CA from the management cluster.
kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D > dex-ca.crt
NOTE: On Linux systems, replace base64 -D
with base64 -d
. On Mac OS, use -D
.
kubectl
back to the context of the OIDC-enabled cluster. kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
ConfigMap
file with the CA certificate. kubectl create cm dex-ca -n tanzu-system-auth --from-file=dex-ca.crt=dex-ca.crt
Create the deployment.
kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/06-deployment.yaml
Open the ConfigMap
for the Dex service that is running in the management cluster.
For example, use vi
to edit the file.
vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/04-cm.yaml
Add a new entry for the OIDC-enabled cluster to the staticClients
list.
staticClients:
...
- id: <WORKLOAD_CLUSTER_NAME>
redirectURIs:
- 'https://<GANGWAY_SVC_LB_HOSTNAME>/callback'
name: '<WORKLOAD_CLUSTER_NAME>'
secret: <clientSecret>
Replace <WORKLOAD_CLUSTER_NAME>
, <GANGWAY_SVC_LB_HOSTNAME>
and <clientSecret>
with the values that you used in the previous steps.
kubectl
to the context of the management cluster. kubectl config use-context my-management-cluster-admin@my-management-cluster
kubectl get pods --namespace tanzu-system-auth
NAME READY STATUS RESTARTS AGE
dex-6849555c67-bqmpd 1/1 Running 0 2d5h
Bounce the Dex pod by deleting it.
kubectl delete pod dex-6849555c67-bqmpd
Dex and Gangway are now running on your management cluster and Tanzu Kubernetes cluster respectively. You can now use your the credentials from your external identity provider (IDP) to connect to the cluster, as described in Access Clusters with Your IDP Credentials.