check-circle-line exclamation-circle-line close-line

<

To use the Dex authentication service you must deploy a Tanzu Kubernetes cluster that is configured to use Dex. The Tanzu Kubernetes Grid extensions bundle provides a special plan from which to deploy a cluster that is enabled for Dex. The cluster includes a Dex OIDC endpoint that allows it to connect to your LDAP or OIDC Identity Provider.

This procedure applies to both vSphere and Amazon EC2 deployments.

Prerequisites

You have completed the steps in one of the following procedures.

Procedure

  1. Move the file cluster-template-oidc.yaml into the folder for the Cluster API provider for either vSphere or Amazon EC2 .

    The following commands include the versions of the Cluster API providers for Tanzu Kubernetes Grid 1.1.0. These versions are v0.6.4 for vSphere and v0.5.3 for Amazon EC2.

    • vSphere:
      mv tkg-extensions-v1.1.0/authentication/dex/vsphere/cluster-template-oidc.yaml ~/.tkg/providers/infrastructure-vsphere/v0.6.4/cluster-template-oidc.yaml
      
    • Amazon EC2:
      mv tkg-extensions-v1.1.0/authentication/dex/aws/cluster-template-oidc.yaml ~/.tkg/providers/infrastructure-aws/v0.5.3/cluster-template-oidc.yaml
      
  2. Make sure that the context of kubectl is set to the context of your management cluster.

    kubectl config use-context  my-management-cluster-admin@my-management-cluster
    
  3. Set the following environment variables on your bootstrap environment, depending on whether you are deploying the cluster to vSphere or Amazon EC2.

    • vSphere: Replace <MGMT_CLUSTER_IP> with the IP address of the management cluster control plane node that you identified in 03-cm.yaml in the previous procedure.

      export OIDC_ISSUER_URL=https://<MGMT_CLUSTER_IP>:30167
      
      export OIDC_USERNAME_CLAIM=email
      
      export OIDC_GROUPS_CLAIM=groups
      

       export DEX_CA=$(kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }} | base64 -D | gzip | base64) 

    • Amazon EC2:
      Replace <DEX_SVC_LB_HOSTNAME> with the hostname of the loadbalancer that you identified in 04-cm.yaml in the previous procedure.

      export OIDC_ISSUER_URL=https://<DEX_SVC_LB_HOSTNAME>
      
      export OIDC_USERNAME_CLAIM=email
      
      export OIDC_GROUPS_CLAIM=groups
      

       export DEX_CA=$(kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D | gzip | base64) 
      NOTE: On Linux systems, replace base64 -D with base64 -d in the DEX_CA variable. On Mac OS systems, use -D.

  4. Make sure that the context of your management cluster is the context of the Tanzu Kubernetes Grid CLI.

    tkg set management-cluster my-management-cluster 
    
  5. Use the Tanzu Kubernetes Grid CLI to create a Tanzu Kubernetes cluster from the plan that you copied into the providers folder.

    tkg create cluster my-oidc-cluster --plan=oidc
    
  6. When the cluster deployment finishes, get the credentials of the created cluster.

    tkg get credentials my-oidc-cluster
    
  7. Set the context of kubectl to the OIDC-enabled cluster.

    kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
    
  8. Install cert-manager on the Tanzu Kubernetes cluster.

    kubectl apply -f tkg-extensions-v1.1.0/cert-manager/
    
  9. Create namespace named tanzu-system-auth on the cluster.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/vsphere/01-namespace.yaml
    

What to Do Next

Now that you have deployed Dex on the management cluster and deployed an OIDC-enabled cluster, you must enable Gangway on the cluster and connect it to the Dex service. The procedure is different depending on whether your cluster is running on vSphere or Amazon EC2.