Let’s first understand a bit about the authentication component that is shipped with TKGm for authentication purpose. It’s Pinniped and it’s an opensource project.
Pinniped mainly have two components:
Pinniped Supervisor: The Pinniped Supervisor is an OIDC server which allows users to authenticate with an external identity provider (IDP), and then issues its own federation ID tokens to be passed on to clusters based on the user information from the IDP
Pinniped Concierge: The Pinniped Concierge is a credential exchange API which takes as input a credential from an identity source (e.g., Pinniped Supervisor, proprietary IDP), authenticates the user via that credential, and returns another credential which is understood by the host Kubernetes cluster or by an impersonation proxy which acts on behalf of the user.
Now, we will understand the requirement to integrate Azure OIDC endpoint with TKGm.
- Create an App on Azure AD and Configure secrets
- Click Azure Active Directory -> App registration
- Click + New registration and enter any name. Do not provide any redirect URL for now and click on Register.
- Once app registration is completed, Click on the newly created app
- Click Certificates & Secrets from left navigation pane
- Click + New client secret and create the one. Ensure that you keep the secret value handy as it won’t be shown again. So, keep that safely.
Change you need to make in the management cluster deployment configuration file:-
IDENTITY_MANAGEMENT_TYPE: oidc OIDC_IDENTITY_PROVIDER_CLIENT_ID: <Put this from an overview page of the app you created earlier> OIDC_IDENTITY_PROVIDER_CLIENT_SECRET: <secret you kept safely from previous steps> OIDC_IDENTITY_PROVIDER_GROUPS_CLAIM: groups OIDC_IDENTITY_PROVIDER_ISSUER_URL: https://login.microsoftonline.com/<tenant-id from an overview page of the app you created>/v2.0 OIDC_IDENTITY_PROVIDER_NAME: "" OIDC_IDENTITY_PROVIDER_SCOPES: email,profile OIDC_IDENTITY_PROVIDER_USERNAME_CLAIM: email
- If you are deploying a management cluster using UI, you can fill up the parameter based on above guidance.
- Issuer URL, do not copy the full URL what you see after clicking the Endpoints option underly newly created app.
- Groups_Claim: If you have not configured groups claim under Token configuration as shown the screenshot below, leave it blank. E.g. in my case, I created the one.
- Creating a group claim can be really good if you want to create a TKG cluster role binding based on Azure Groups.
Once your management cluster is deployed successfully, Run the below command to get the External IP address.
$ kubectl get svc -n pinniped-supervisor
Note down the external IP address from above command.
Now, go back on Azure portal and then under Azure AD -> App registration -> app (app you created will be shown under owned applications), Click Redirect URIs.
Add the URL. Update IP address that you got in above step.
- Export the non admin config file for management cluster
$ tanzu management-cluster kubeconfig get --export-file /tmp/kubeconfig
- Now, try to list the pods
$ kubectl get po –kubeconfig /tmp/kubeconfig
You will see the link to visit and get the authorization code. Note: This you will only see from TKG 1.5 onwards, prior to tkg 1.5, you will only see the URL.
- You may be asked to allow the permission. That is just once.
After accepting the permission, you will be shown a page something like below.
- Copy the authorization code and paste on the console as shown below
- As you can see, authentication is now successful. If you are following this for TKG 1.4.x , then you need to copy the url instead of code (as code wont be shown) and then run the curl -L ‘url copied’ and run on another ssh terminal.
- Now you can create a role binding and assign the required roles to the user and access the resources.