This procedure describes how to enable Gangway on OIDC-enabled clusters that you have deployed to vSphere.

Prerequisites

Procedure

  1. Set the context of kubectl to the OIDC-enabled cluster.

    kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster
    
  2. Edit the file tkg-extensions-v1.1.0/authentication/gangway/vsphere/02-config.yaml with information about your Tanzu Kubernetes Grid instance.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/gangway/vsphere/02-config.yaml
    
    • Replace all instances of <WORKLOAD_CLUSTER_NAME> with the name of the OIDC-enabled cluster.
    • Replace all instances of <MGMT_CLUSTER_IP> with the IP address of one of the control plane nodes of the management cluster.
    • Replace <WORKLOAD_CLUSTER_IP> with the IP address of the control plane node or nodes of workload cluster.
    • Replace <APISERVER_URL> with the IP of the Kubernetes API Server endpoint for the workload cluster. This is the address of the load balancer VM that is running in the cluster, that has a name similar to my-cluster-default-lb. This value can also be found in the .status.controlPlaneEndpoint field of the CAPI Cluster object in the management cluster.
  3. Apply the configuration to the OIDC-enabled cluster.
    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/vsphere/02-config.yaml
    
  4. Create an openssl client secret file from the provided example.

    cp tkg-extensions-v1.1.0/authentication/gangway/vsphere/03-secret.example tkg-extensions-v1.1.0/authentication/gangway/vsphere/03-secret.yaml
    
  5. Open 03-secret.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/gangway/vsphere/03-secret.yaml
    
  6. At the command line, use openssl to create a session key.

    The following command uses pbcopy to copy the output to your clipboard.

    openssl rand -base64 32 | pbcopy
    
  7. In 03-secret.yaml, update the sesssionKey value by pasting in the output of the previous command.
  8. Create a client secret.

    Run the following commands and copy the output of the echo command.

    clientSecret=$(openssl rand -base64 32)
    
    echo -n "$clientSecret" | base64
    
  9. In 03-secret.yaml, update the clientSecret value by pasting in the output of the previous command.
  10. Pass the secret to the cluster.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/vsphere/03-secret.yaml
    
  11. Open tkg-extensions-v1.1.0/authentication/gangway/vsphere/04-cert-selfsigned.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/gangway/vsphere/04-cert-selfsigned.yaml
    

    Replace <WORKLOAD_CLUSTER_IP1> and <WORKLOAD_CLUSTER_IP2> with the IP addresses of the control plane node VM or VMs. Remove the row for <WORKLOAD_CLUSTER_IP2> if your Tanzu Kubernetes cluster has a single node control plane. Add more rows if your control plane has more than two nodes.

  12. Create a self-signed certificate by applying 04-cert-selfsigned.yaml to the cluster.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/vsphere/04-cert-selfsigned.yaml
    
  13. Provide the CA for the Dex service running on management cluster to the Gangway service running in the Tanzu Kubernetes cluster.

    1. Set the context of kubectl to the management cluster.
      kubectl config use-context my-management-cluster-admin@my-management-cluster 
      
    2. Get the CA from the management cluster.

       kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D > dex-ca.crt 

      NOTE: On Linux systems, replace base64 -D with base64 -d.

    3. Set the context of kubectl back to the OIDC-enabled cluster.
      kubectl config use-context my-oidc-cluster-admin@my-oidc-cluster 
      
    4. Create a ConfigMap file with the CA certificate.
      kubectl create cm dex-ca -n tanzu-system-auth --from-file=dex-ca.crt=dex-ca.crt
      
  14. Create the deployment.

    If you are deploying in an Internet-restricted environment, make sure that you updated 05-deployment.yaml to replace vmware-docker-tkg.bintray.io with the address of your private Docker registry, for example custom-image-repository.io/yourproject.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/vsphere/05-deployment.yaml
    
  15. Create the Gangway service in the cluster.

    kubectl apply -f tkg-extensions-v1.1.0/authentication/gangway/vsphere/06-service.yaml
    
  16. Open the ConfigMap for the Dex service that is running in the management cluster.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/03-cm.yaml
    
  17. Add a new entry for the OIDC-enabled cluster to the staticClients list, to inform Dex that the Gangway application is a client of the Dex service.

    staticClients:
    - id: <Workload_cluster_name>
      redirectURIs:
        - 'https://<Workload_cluster_IP>:30166/callback'
      name: '<Workload_cluster_name>'
      secret: <clientSecret>
    

    Replace <WORKLOAD_CLUSTER_NAME> and <WORKLOAD_CLUSTER_IP> with the values that you used in the previous steps. In this step, the <clientSecret> value is the base64 decoded value of clientSecret from 03-secret.yaml.

  18. Set the context of kubectl to the management cluster.
    kubectl config use-context my-management-cluster-admin@my-management-cluster 
    
  19. Apply the new configuration to the management cluster.
    kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/03-cm.yaml 
    
  20. Get the ID of the Dex service pod that is running in the management cluster.
    kubectl get pods --namespace tanzu-system-auth
    
    NAME                   READY   STATUS    RESTARTS   AGE
    dex-6849555c67-bqmpd   1/1     Running   0          2d5h
    
  21. Bounce the Dex pod by deleting it.

    kubectl delete pod dex-6849555c67-bqmpd --namespace tanzu-system-auth
    

What to Do Next

Dex and Gangway are now running on your management cluster and Tanzu Kubernetes cluster respectively. You can now use your the credentials from your external identity provider (IDP) to connect to the cluster, as described in Access Clusters with Your IDP Credentials.

check-circle-line exclamation-circle-line close-line
Scroll to top icon