check-circle-line exclamation-circle-line close-line

<

This procedure describes how to enable Gangway on OIDC-enabled clusters that you have deployed to Amazon EC2.

Prerequisites

Procedure

  1. Set the context of kubectl to the OIDC-enabled cluster.

    kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
    
  2. Create the Gangway service.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/aws/02-service.yaml
    
  3. Get the host name of the Gangway service load balancer.

    kubectl get svc gangwaysvc -n tanzu-system-auth -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
    
  4. Edit the file tkg-extensions-v1.1.0/authentication/gangway/aws/03-config.yaml with information about your Tanzu Kubernetes Grid instance.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/gangway/aws/03-config.yaml
    
    • Replace all instances of <WORKLOAD_CLUSTER_NAME> with the name of the OIDC-enabled cluster.
    • Replace <DEX_SVC_LB_HOSTNAME> with the host name of the Dex service load balancer that is running in the management cluster, that you identified in the previous procedure.
    • Replace <GANGWAY_SVC_LB_HOSTNAME> with the host name of the Gangway service load balancer that you obtained in the preceding step.
    • Replace <APISERVER_URL> with the host name of the Kubernetes API Server endpoint for the workload cluster. This is the DNS name of the AWS load balancer, that has a name like my-oidc-cluster-*.elb.amazonaws.com.
  5. Apply the configuration to the OIDC-enabled cluster.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/aws/03-config.yaml
    
  6. Create an openssl client secret file from the provided example.

    cp tkg-extensions-v1.1.0/authentication/gangway/aws/04-secret.example tkg-extensions-v1.1.0/authentication/gangway/aws/04-secret.yaml
    
  7. Open 03-secret.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/gangway/aws/04-secret.yaml
    
  8. At the command line, use openssl to create a session key.

    The following command uses pbcopy to copy the output to your clipboard.

    openssl rand -base64 32 | pbcopy
    
  9. In 03-secret.yaml, update the sesssionKey value by pasting in the output of the previous command.
  10. Create a client secret.

    Run the following commands and copy the output of the echo command.

    clientSecret=$(openssl rand -base64 32)
    
    echo -n "$clientSecret" | base64
    
  11. In 04-secret.yaml, update the clientSecret value by pasting in the output of the previous command.
  12. Pass the secret to the cluster.
    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/aws/04-secret.yaml
    
  13. Open tkg-extensions-v1.1.0/authentication/gangway/aws/05-cert-selfsigned.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/gangway/aws/05-cert-selfsigned.yaml
    

    Replace <GANGWAY_SVC_LB_HOSTNAME> in 05-cert-selfsigned.yaml with the host name of the Gangway service load balancer.

  14. Create a self-signed certificate by applying 05-cert-selfsigned.yaml to the cluster.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/aws/05-cert-selfsigned.yaml
    
  15. Provide the CA for the Dex service running on management cluster to the Gangway service running in the Tanzu Kubernetes cluster.

    1. Set the context of kubectl to the management cluster.
      kubectl config use-context my-management-cluster-admin@my-management-cluster 
      
    2. Get the CA from the management cluster.

       kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D > dex-ca.crt 

      NOTE: On Linux systems, replace base64 -D with base64 -d. On Mac OS, use -D.

    3. Set the context of kubectl back to the OIDC-enabled cluster.
      kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster 
      
    4. Create a ConfigMap file with the CA certificate.
      kubectl create cm dex-ca -n tanzu-system-auth --from-file=dex-ca.crt=dex-ca.crt
      
  16. Create the deployment.

    If you are deploying in an Internet-restricted environment, make sure that you updated 05-deployment.yaml to replace vmware-docker-tkg.bintray.io with the address of your private Docker registry, for example custom-image-repository.io/yourproject.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/aws/06-deployment.yaml
    
  17. Open the ConfigMap for the Dex service that is running in the management cluster.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/dex/aws/oidc/04-cm.yaml
    
  18. Add a new entry for the OIDC-enabled cluster to the staticClients list.

     staticClients:
     - id: <WORKLOAD_CLUSTER_NAME>
       redirectURIs:
       - 'https://<GANGWAY_SVC_LB_HOSTNAME>/callback'
       name: '<WORKLOAD_CLUSTER_NAME>'
       secret: <clientSecret>
    

    Replace <WORKLOAD_CLUSTER_NAME>, <GANGWAY_SVC_LB_HOSTNAME> and <clientSecret> with the values that you used in the previous steps.

  19. Set the context of kubectl to the management cluster.
    kubectl config use-context my-management-cluster-admin@my-management-cluster 
    
  20. Apply the new configuration to the management cluster.
    kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/aws/oidc/04-cm.yaml 
    
  21. Get the ID of the Dex service pod that is running in the management cluster.
    kubectl get pods --namespace tanzu-system-auth
    
    NAME                   READY   STATUS    RESTARTS   AGE
    dex-6849555c67-bqmpd   1/1     Running   0          2d5h
    
  22. Bounce the Dex pod by deleting it.

    kubectl delete pod dex-6849555c67-bqmpd
    

What to Do Next

Dex and Gangway are now running on your management cluster and Tanzu Kubernetes cluster respectively. You can now use your the credentials from your external identity provider (IDP) to connect to the cluster, as described in Access Clusters with Your IDP Credentials.