This procedure describes how to enable Gangway on OIDC-enabled clusters that you have deployed to vSphere.

• Prerequisites
• Procedure
• What to Do Next

Prerequisites

• You have completed the steps in either Deploy Dex with LDAP to a Management Cluster Running on vSphere or Deploy Dex with OIDC to a Management Cluster Running on vSphere.
• You have deployed a Tanzu Kubernetes cluster from the cluster-template-oidc.yaml file, as described in Deploy an Authentication-Enabled Cluster.

Procedure

1. Set the focus of kubectl to the OIDC-enabled cluster.

   kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
   

2. Edit the file tkg-extensions-v1.0.0/authentication/gangway/vsphere/02-config.yaml with information about your Tanzu Kubernetes Grid instance.

   For example, use vi to edit the file.

   vi tkg-extensions-v1.0.0/authentication/gangway/vsphere/02-config.yaml
   

   • Replace all instances of <WORKLOAD_CLUSTER_NAME> with the name of the OIDC-enabled cluster.
   • Replace all instances of <MGMT_CLUSTER_IP> with the IP address of one of the control plane nodes of the management cluster.
   • Replace <WORKLOAD_CLUSTER_IP> with the IP address of the control plane node or nodes of workload cluster.
   • Replace <APISERVER_URL> with the IP or DNS address of the Kubernetes API Server endpoint for the workload cluster. This is the address of the load balancer VM that is running in the cluster, that has a name similar to my-cluster-default-lb.
3. Apply the configuration to the OIDC-enabled cluster.

   kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/vsphere/02-config.yaml
   

4. Create an openssl client secret file from the provided example.

   cp tkg-extensions-v1.0.0/authentication/gangway/vsphere/03-secret.example tkg-extensions-v1.0.0/authentication/gangway/vsphere/03-secret.yaml
   

5. Open 03-secret.yaml in a text editor.

   For example, use vi to edit the file.

   vi tkg-extensions-v1.0.0/authentication/gangway/vsphere/03-secret.yaml
   

6. At the command line, use openssl to create a session key.

   The following command uses pbcopy to copy the output to your clipboard.

   openssl rand -base64 32 | pbcopy
   

7. In 03-secret.yaml, update the sesssionKey value by pasting in the output of the previous command.

8. Create a client secret.

   Run the following commands and copy the output of the echo command.

   clientSecret=$(openssl rand -base64 32)
   

   echo -n "$clientSecret" | base64
   

9. In 03-secret.yaml, update the clientSecret value by pasting in the output of the previous command.

10. Pass the secret to the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/vsphere/03-secret.yaml
    

11. Open tkg-extensions-v1.0.0/authentication/gangway/vsphere/04-cert-selfsigned.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/gangway/vsphere/04-cert-selfsigned.yaml
    

    Replace <WORKLOAD_CLUSTER_IP1> and <WORKLOAD_CLUSTER_IP2> with the IP addresses of the control plane node VM or VMs. Remove the row for <WORKLOAD_CLUSTER_IP2> if your management cluster has a single node control plane. Add more rows if your control plane has more than two nodes.

12. Create a self-signed certificate by applying 04-cert-selfsigned.yaml to the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/vsphere/04-cert-selfsigned.yaml
    

13. Provide the CA for the Dex service running on management cluster to the Gangway service running in the Tanzu Kubernetes cluster.

    1. Set the focus of kubectl to the context of the management cluster.

       kubectl config use-context my-management-cluster-admin@my-management-cluster 
       

    2. Get the CA from the management cluster.
       

        kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D > dex-ca.crt 

       NOTE: On Linux systems, replace base64 -D with base64 -d.

    3. Set the focus of kubectl back to the context of the OIDC-enabled cluster.

       kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster 
       

    4. Create a ConfigMap file with the CA certificate.

       kubectl create cm dex-ca -n tanzu-system-auth --from-file=dex-ca.crt=dex-ca.crt
       

14. Create the deployment.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/vsphere/05-deployment.yaml
    

15. Create the Gangway service in the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/gangway/vsphere/06-service.yaml
    

16. Open the ConfigMap for the Dex service that is running in the management cluster.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/vsphere/ldap/03-cm.yaml
    

17. Add a new entry for the OIDC-enabled cluster to the staticClients list, to inform Dex that the Gangway application is a client of the Dex service.

    staticClients:
    ...
    - id: <WORKLOAD_CLUSTER_NAME>
      redirectURIs:
      - 'https://<WORKLOAD_CLUSTER_IP>:30166/callback'
      name: '<WORKLOAD_CLUSTER_NAME>'
      # echo -n '<clientSecret>'
     secret: <clientSecret>
    

    Replace <WORKLOAD_CLUSTER_NAME>, <WORKLOAD_CLUSTER_IP> and <clientSecret> with the values that you used in the previous steps.

18. Set the focus of kubectl to the context of the management cluster.

    kubectl config use-context my-management-cluster-admin@my-management-cluster 
    

19. Get the ID of the Dex service pod that is running in the management cluster.

    kubectl get pods --namespace tanzu-system-auth
    

    NAME                   READY   STATUS    RESTARTS   AGE
    dex-6849555c67-bqmpd   1/1     Running   0          2d5h
    

20. Bounce the Dex pod by deleting it.

    kubectl delete pod dex-6849555c67-bqmpd
    

What to Do Next

Dex and Gangway are now running on your management cluster and Tanzu Kubernetes cluster respectively. You can now use your the credentials from your external identity provider (IDP) to connect to the cluster, as described in Access Clusters with Your IDP Credentials.