2020-12-18 00:08:51 +00:00
---
2021-02-22 23:52:23 +00:00
title: Learn to use the Pinniped Supervisor alongside the Concierge
description: See how the Pinniped Supervisor streamlines login to multiple Kubernetes clusters.
2020-12-18 00:08:51 +00:00
cascade:
layout: docs
2021-02-17 23:02:57 +00:00
menu:
docs:
name: Concierge with Supervisor
2021-02-22 23:52:23 +00:00
parent: tutorials
2020-12-18 00:08:51 +00:00
---
## Prerequisites
2021-03-16 18:00:31 +00:00
1. A Kubernetes cluster of a type supported by Pinniped Concierge as described in [architecture ](/docs/background/architecture ).
2021-01-04 20:31:53 +00:00
Don't have a cluster handy? Consider using [kind ](https://kind.sigs.k8s.io/ ) on your local machine.
See below for an example of using kind.
2021-02-22 23:52:23 +00:00
1. A Kubernetes cluster of a type supported by Pinniped Supervisor (this can be the same cluster as the first, or different).
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
1. A kubeconfig that has administrator-like privileges on each cluster.
2021-01-04 20:31:53 +00:00
1. An external OIDC identity provider to use as the source of identity for Pinniped.
2020-12-18 00:08:51 +00:00
## Overview
2021-02-22 23:52:23 +00:00
Installing and trying Pinniped on any cluster consists of the following general steps. See the next section below
2021-01-05 00:23:24 +00:00
for a more specific example, including the commands to use for that case.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
1. [Install the Supervisor ]({{< ref "../howto/install-supervisor" >}} ).
2021-01-04 20:31:53 +00:00
1. Create a
2021-01-08 23:21:23 +00:00
[`FederationDomain` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain )
2021-01-04 20:31:53 +00:00
via the installed Pinniped Supervisor.
2021-01-05 00:23:24 +00:00
1. Create an
2021-01-08 23:21:23 +00:00
[`OIDCIdentityProvider` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityprovider )
2021-01-05 00:23:24 +00:00
via the installed Pinniped Supervisor.
2021-01-04 20:31:53 +00:00
1. Install the Pinniped Concierge. See [deploy/concierge/README.md ](https://github.com/vmware-tanzu/pinniped/blob/main/deploy/concierge/README.md ).
1. Create a
2021-01-08 23:21:23 +00:00
[`JWTAuthenticator` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator )
2021-01-04 20:31:53 +00:00
via the installed Pinniped Concierge.
2021-02-22 23:52:23 +00:00
1. [Install the Pinniped command-line tool ]({{< ref "../howto/install-cli" >}} ).
1. Generate a kubeconfig using the Pinniped command-line tool. Run `pinniped get kubeconfig --help` for more information.
1. Run `kubectl` commands using the generated kubeconfig. The Pinniped Supervisor and Concierge are automatically used for authentication during those commands.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
## Example of deploying on multiple kind clusters
2021-01-04 20:31:53 +00:00
[kind ](https://kind.sigs.k8s.io ) is a tool for creating and managing Kubernetes clusters on your local machine
2021-02-22 23:52:23 +00:00
which uses Docker containers as the cluster's nodes. This is a convenient way to try out Pinniped on local
2021-01-05 00:23:24 +00:00
non-production clusters.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
The following steps deploy the latest release of Pinniped on kind. They deploy the Pinniped
2021-01-04 20:31:53 +00:00
Supervisor on one cluster, and the Pinniped Concierge on another cluster. A multi-cluster deployment
2021-02-22 23:52:23 +00:00
strategy is typical for Pinniped. The Pinniped Concierge uses a
2021-01-08 23:21:23 +00:00
[`JWTAuthenticator` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator )
2021-01-05 00:23:24 +00:00
to authenticate federated identities from the Supervisor.
2021-01-04 20:31:53 +00:00
1. Install the tools required for the following steps.
2021-02-22 23:52:23 +00:00
- [Install kind ](https://kind.sigs.k8s.io/docs/user/quick-start/ ), if not already installed. For example, `brew install kind` on macOS.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
- kind depends on Docker. If not already installed, [install Docker ](https://docs.docker.com/get-docker/ ), for example `brew cask install docker` on macOS.
2021-01-04 20:31:53 +00:00
- This demo requires `kubectl` , which comes with Docker, or can be [installed separately ](https://kubernetes.io/docs/tasks/tools/install-kubectl/ ).
2021-02-22 23:52:23 +00:00
- This demo requires `openssl` , which is installed on macOS by default, or can be [installed separately ](https://www.openssl.org/ ).
2021-01-04 20:31:53 +00:00
1. Create a new Kubernetes cluster for the Pinniped Supervisor using `kind create cluster --name pinniped-supervisor` .
1. Create a new Kubernetes cluster for the Pinniped Concierge using `kind create cluster --name pinniped-concierge` .
1. Deploy the Pinniped Supervisor with a valid serving certificate and network path. See
[deploy/supervisor/README.md ](https://github.com/vmware-tanzu/pinniped/blob/main/deploy/supervisor/README.md ).
2021-02-22 23:52:23 +00:00
For purposes of this demo, the following issuer is used. This issuer is specific to DNS and
TLS infrastructure set up for this demo:
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
issuer=https://my-supervisor.demo.pinniped.dev
```
This demo uses a `Secret` named `my-federation-domain-tls` to provide the serving certificate for
the
2021-01-08 23:21:23 +00:00
[`FederationDomain` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain ). The
2021-01-05 00:23:24 +00:00
serving certificate `Secret` must be of type `kubernetes.io/tls` .
The CA bundle for this serving
2021-01-04 20:31:53 +00:00
certificate is assumed to be written, base64-encoded, to a file named
`/tmp/pinniped-supervisor-ca-bundle-base64-encoded.pem` .
1. Create a
2021-01-08 23:21:23 +00:00
[`FederationDomain` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-federationdomain )
2021-01-04 20:31:53 +00:00
object to configure the Pinniped Supervisor to issue federated identities.
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
cat < < EOF | kubectl create --context kind-pinniped-supervisor --namespace pinniped-supervisor -f -
apiVersion: config.supervisor.pinniped.dev/v1alpha1
kind: FederationDomain
metadata:
name: my-federation-domain
spec:
issuer: $issuer
tls:
secretName: my-federation-domain-tls
EOF
```
1. Create a `Secret` with the external OIDC identity provider OAuth 2.0 client credentials named
`my-oidc-identity-provider-client` in the pinniped-supervisor namespace.
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
kubectl create secret generic my-oidc-identity-provider-client \
--context kind-pinniped-supervisor \
2021-01-05 00:23:24 +00:00
--namespace pinniped-supervisor \
2021-01-04 20:31:53 +00:00
--type secrets.pinniped.dev/oidc-client \
--from-literal=clientID=xxx \
--from-literal=clientSecret=yyy
```
1. Create an
2021-01-08 23:21:23 +00:00
[`OIDCIdentityProvider` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityprovider )
2021-01-04 20:31:53 +00:00
object to configure the Pinniped Supervisor to federate identities from an upstream OIDC identity
provider.
2021-01-05 00:23:24 +00:00
Replace the `issuer` with your external identity provider's issuer and
adjust any other configuration on the spec.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
cat < < EOF | kubectl create --context kind-pinniped-supervisor --namespace pinniped-supervisor -f -
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
name: my-oidc-identity-provider
spec:
2021-01-05 00:23:24 +00:00
issuer: https://dev-zzz.okta.com/oauth2/default
2021-01-04 20:31:53 +00:00
claims:
username: email
2021-01-05 00:23:24 +00:00
authorizationConfig:
additionalScopes: ['email']
2021-01-04 20:31:53 +00:00
client:
secretName: my-oidc-identity-provider-client
EOF
```
1. Deploy the Pinniped Concierge.
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
kubectl apply \
--context kind-pinniped-concierge \
2021-01-28 15:24:11 +00:00
-f https://get.pinniped.dev/latest/install-pinniped-concierge.yaml
2021-01-04 20:31:53 +00:00
```
The `install-pinniped-concierge.yaml` file includes the default deployment options.
2021-02-22 23:52:23 +00:00
If you would prefer to customize the available options, please see the [Concierge installation guide ]({{< ref "../howto/install-concierge" >}} )
2021-01-04 20:31:53 +00:00
for instructions on how to deploy using `ytt` .
1. Generate a random audience value for this cluster.
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
audience="$(openssl rand -hex 8)"
```
1. Create a
2021-01-08 23:21:23 +00:00
[`JWTAuthenticator` ](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticator )
2021-01-04 20:31:53 +00:00
object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor.
2021-02-22 23:52:23 +00:00
```sh
2021-02-09 18:59:32 +00:00
cat < < EOF | kubectl create --context kind-pinniped-concierge -f -
2021-01-04 20:31:53 +00:00
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
metadata:
name: my-jwt-authenticator
spec:
issuer: $issuer
audience: $audience
tls:
certificateAuthorityData: $(cat /tmp/pinniped-supervisor-ca-bundle-base64-encoded.pem)
EOF
```
2021-02-22 23:52:23 +00:00
1. Download the latest version of the Pinniped command-line tool for your platform.
On macOS or Linux, you can do this using Homebrew:
```sh
brew install vmware-tanzu/pinniped/pinniped-cli
```
On other platforms, see the [command-line installation guide ]({{< ref "../howto/install-cli" >}} ) for more details.
2021-01-04 20:31:53 +00:00
2021-01-05 00:23:24 +00:00
1. Generate a kubeconfig for the current cluster.
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
pinniped get kubeconfig \
2021-01-05 00:23:24 +00:00
--kubeconfig-context kind-pinniped-concierge \
2021-01-04 20:31:53 +00:00
> /tmp/pinniped-kubeconfig
```
2021-02-22 23:52:23 +00:00
1. Try using the generated kubeconfig to issue arbitrary `kubectl` commands. The `pinniped` command-line tool
opens a browser page that can be used to login to the external OIDC identity provider configured earlier.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
```sh
2021-01-05 00:23:24 +00:00
kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped-concierge
2021-01-04 20:31:53 +00:00
```
2021-01-05 00:23:24 +00:00
Because this user has no RBAC permissions on this cluster, the previous command results in an
2021-01-08 23:21:23 +00:00
error that is similar to
2021-01-05 00:23:24 +00:00
`Error from server (Forbidden): pods is forbidden: User "pinny" cannot list resource "pods"
in API group "" in the namespace "pinniped"`, where `pinny` is the username that was used to login
2021-01-04 20:31:53 +00:00
to the upstream OIDC identity provider. However, this does prove that you are authenticated and
2021-01-05 00:23:24 +00:00
acting as the `pinny` user.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
1. As the administrator user, create RBAC rules for the test user to give them permissions to perform actions on the cluster.
2021-01-04 20:31:53 +00:00
For example, grant the test user permission to view all cluster resources.
2021-02-22 23:52:23 +00:00
```sh
2021-01-05 00:23:24 +00:00
kubectl --context kind-pinniped-concierge create clusterrolebinding pinny-can-read --clusterrole view --user pinny
2021-01-04 20:31:53 +00:00
```
2021-01-05 00:23:24 +00:00
1. Use the generated kubeconfig to issue arbitrary `kubectl` commands as the `pinny` user.
2021-01-04 20:31:53 +00:00
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped-concierge
```
The user has permission to list pods, so the command succeeds this time.
2021-02-22 23:52:23 +00:00
Pinniped has provided authentication into the cluster for your `kubectl` command. 🎉
2021-01-04 20:31:53 +00:00
2021-01-05 00:23:24 +00:00
1. Carry on issuing as many `kubectl` commands as you'd like as the `pinny` user.
2021-02-22 23:52:23 +00:00
Each invocation uses Pinniped for authentication.
2021-01-04 20:31:53 +00:00
You may find it convenient to set the `KUBECONFIG` environment variable rather than passing `--kubeconfig` to each invocation.
2021-02-22 23:52:23 +00:00
```sh
2021-01-04 20:31:53 +00:00
export KUBECONFIG=/tmp/pinniped-kubeconfig
kubectl get namespaces
kubectl get pods -A
```