Docs

This procedure describes how to enable Gangway on OIDC-enabled clusters that you have deployed to Amazon EC2.

• Prerequisites
• Procedure
• What to Do Next

Prerequisites

• You have completed the steps in Deploy Dex to a Management Cluster Running on Amazon EC2.
• You have deployed a Tanzu Kubernetes cluster from the cluster-template-oidc.yaml file, as described in Deploy an Authentication-Enabled Cluster.

Procedure

1. Set the focus of kubectl to the OIDC-enabled cluster.

   kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
   

2. Create the Gangway service.

   kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/02-service.yaml
   

3. Get the host name of the Gangway service load balancer.

   kubectl get svc gangwaysvc -n tanzu-system-auth -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
   

4. Edit the file tkg-extensions-v1.0.0/authentication/gangway/aws/03-config.yaml with information about your Tanzu Kubernetes Grid instance.

   For example, use vi to edit the file.

   vi tkg-extensions-v1.0.0/authentication/gangway/aws/03-config.yaml
   

   • Replace all instances of <WORKLOAD_CLUSTER_NAME> with the name of the OIDC-enabled cluster.
   • Replace <DEX_SVC_LB_HOSTNAME> with the host name of the Dex service load balancer that is running in the management cluster, that you identified in the previous procedure.
   • Replace <GANGWAY_SVC_LB_HOSTNAME> with the host name of the Gangway service load balancer that you obtained in the preceding step.
   • Replace <APISERVER_URL> with the host name of the Kubernetes API Server endpoint for the workload cluster. This is the Bastion VM that is running in the cluster, that has a name like my-oidc-cluster-bastion.
5. Apply the configuration to the OIDC-enabled cluster.

   kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/03-config.yaml
   

6. Create an openssl client secret file from the provided example.

   cp tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.example tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.yaml
   

7. Open 03-secret.yaml in a text editor.

   For example, use vi to edit the file.

   vi tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.yaml
   

8. At the command line, use openssl to create a session key.

   The following command uses pbcopy to copy the output to your clipboard.

   openssl rand -base64 32 | pbcopy
   

9. In 03-secret.yaml, update the sesssionKey value by pasting in the output of the previous command.

10. Create a client secret.

    Run the following commands and copy the output of the echo command.

    clientSecret=$(openssl rand -base64 32)
    

    echo -n "$clientSecret" | base64
    

11. In 04-secret.yaml, update the clientSecret value by pasting in the output of the previous command.
12. Pass the secret to the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/04-secret.yaml
    

13. Open tkg-extensions-v1.0.0/authentication/gangway/aws/05-cert-selfsigned.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/gangway/aws/05-cert-selfsigned.yaml
    

    Replace <GANGWAY_SVC_LB_HOSTNAME> in 05-cert-selfsigned.yaml with the host name of the Gangway service load balancer.

14. Create a self-signed certificate by applying 05-cert-selfsigned.yaml to the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/05-cert-selfsigned.yaml
    

15. Provide the CA for the Dex service running on management cluster to the Gangway service running in the Tanzu Kubernetes cluster.

    1. Set the focus of kubectl to the context of the management cluster.

       kubectl config use-context my-management-cluster-admin@my-management-cluster 
       

    2. Get the CA from the management cluster.
       

        kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D > dex-ca.crt 

       NOTE: On Linux systems, replace base64 -D with base64 -d. On Mac OS, use -D.

    3. Set the focus of kubectl back to the context of the OIDC-enabled cluster.

       kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster 
       

    4. Create a ConfigMap file with the CA certificate.

       kubectl create cm dex-ca -n tanzu-system-auth --from-file=dex-ca.crt=dex-ca.crt
       

16. Create the deployment.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/aws/06-deployment.yaml
    

17. Open the ConfigMap for the Dex service that is running in the management cluster.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/04-cm.yaml
    

18. Add a new entry for the OIDC-enabled cluster to the staticClients list.

     staticClients:
     ...
     - id: <WORKLOAD_CLUSTER_NAME>
       redirectURIs:
       - 'https://<GANGWAY_SVC_LB_HOSTNAME>/callback'
       name: '<WORKLOAD_CLUSTER_NAME>'
       secret: <clientSecret>
    

    Replace <WORKLOAD_CLUSTER_NAME>, <GANGWAY_SVC_LB_HOSTNAME> and <clientSecret> with the values that you used in the previous steps.

19. Set the focus of kubectl to the context of the management cluster.

    kubectl config use-context my-management-cluster-admin@my-management-cluster 
    

20. Get the ID of the Dex service pod that is running in the management cluster.

    kubectl get pods --namespace tanzu-system-auth
    

    NAME                   READY   STATUS    RESTARTS   AGE
    dex-6849555c67-bqmpd   1/1     Running   0          2d5h
    

21. Bounce the Dex pod by deleting it.

    kubectl delete pod dex-6849555c67-bqmpd
    

What to Do Next

Dex and Gangway are now running on your management cluster and Tanzu Kubernetes cluster respectively. You can now use your the credentials from your external identity provider (IDP) to connect to the cluster, as described in Access Clusters with Your IDP Credentials.