Documentation

Step 1: Configure an Identity Management Provider in the Cluster

The first step is to configure an OIDC provider ( VMware Cloud Service Portal (CSP) login in this example) in the VMware Tanzu™ Kubernetes Grid™ (TKG) cluster and configure Pinniped to trust this provider for authenticating Kubernetes API calls.

Step 1.1: Configure an OIDC Provider

TKG comes with Pinniped installed by default; you only need to configure an OIDC provider and then make Pinniped trust that OIDC provider. The OIDC provider is responsible for authenticating users in the TKG cluster and the Kubeapps dashboard. The steps below use the VMware Cloud Services Platform (CSP) as an example; however, a similar process applies to any other OIDC-compliant provider, including Google Cloud, Azure Active Directory, Dex, Okta, and others.

NOTE: You need a recent version of Kubeapps (2.3.3 onwards), otherwise, you would need to install an additional Pinniped (version 0.6.0 onwards).

NOTE: If your cluster is already attached to VMware Tanzu™ Mission Control™ (TMC) an additional Pinniped version is automatically installed in another namespace. However, this guide will always use the Pinniped version installed by TKG (not by TMC).

Create an OAuth2 Application

Begin by creating an OAuth2 application to retrieve the information required by Pinniped and, later on, Kubeapps. Follow the steps below:

NOTE: You must have Developer access in the organization to perform these steps. Also, note that if the organization is restricted, only users belonging to this organization will be able to log in.

  1. Navigate to the CSP Console at https://console.cloud.vmware.com .

  2. Click the drop-down menu in the top-right corner.

  3. Under the Organization settings, click View Organization.

    View organization

  4. Click the OAuth Apps tab.

    OAuth Apps tab

  5. Select Web app and click the Continue button.

    OAuth Apps tab

  6. Enter a name and description for the OAuth app. For the moment, enter the value https://localhost/oauth2/callback in the Redirect URIs field (this will be updated after Kubeapps is installed).

    Add name and description

  7. Leave the rest of the options at their default values.

  8. Tick the OpenID checkbox and click the Create button.

    OpenID and create

The CSP Console displays a success screen with an auto-generated application ID and secret. Click the Download JSON link to download these values.

Retrieve app id and secret

NOTE: Store this file carefully as it contains important credentials which will be needed when configuring Pinniped and Kubeapps.

TIP: Any OIDC-compliant provider should expose a .well-known/openid-configuration ( example ) endpoint where you can find other useful and required information. This endpoint allows using the base URL to discover the rest of the URLs (authorization, token, end session, jwks and issuer) automatically. For CSP, the endpoint is https://console.cloud.vmware.com/csp/gateway/am/api.

At this point, an OAuth2 application is configured.

Configure Pinniped to Trust the OIDC Provider

Once the OIDC provider has been fully configured, the next step is to configure Pinniped to trust this provider. This implies that a successful authentication with the OIDC provider results in authentication with the TKG cluster.

Since Pinniped manages this process, the only requirement is to a JWTAuthenticator CustomResource in the cluster. To do so, follow the steps below:

  1. Create a file named kubeapps-jwt-authenticator.yaml with the following content. Replace the placeholders as follows:
  • Replace the OIDC-ISSUER-URL with the issuer URL of the OIDC provider. For CSP it is https://gaz.csp-vidm-prod.com.
  • Replace CLIENT-ID with the application ID obtained from the JSON file in the previous step.
---
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
metadata:
  name: kubeapps-jwt-authenticator
  namespace: pinniped-concierge
spec:
  issuer: OIDC-ISSUER-URL
  audience: CLIENT-ID
  claims:
    username: email
    groups: groups
#   tls:
#     certificateAuthorityData: LS0t... # optional base64 CA data if using a self-signed certificate

The name field specifies the name of the JWTAuthenticator resource, which will be required in the next step.

NOTE: Ignore the tls section of the configuration shown above unless the OIDC uses a self-signed certificate. If it does, follow these additional steps .

NOTE: Just if you are using the Pinniped version provided by TMC (instead of the one already provided by TKG), the line namespace: pinniped-concierge must be removed.

  1. Install the JWTAuthenticator resource in your cluster:
kubectl apply -f kubeapps-jwt-authenticator.yaml

TIP: When using more than one workload cluster, apply this JWTAuthenticator resource in every cluster.

At the end of this step, an identity management provider has been configured in the cluster. The next step is to install Kubeapps .

Getting started

Discover how to deploy Kubeapps in your cluster, add some package repositories and start managing your applications!