djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Minor cleanups on the new Supervisor+Okta docs page.

Browse Source 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2021-05-24 10:29:43 -05:00
parent 36168122cc
commit 1ab1d41735
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
site/content/docs/howto/configure-supervisor-with-okta.md
View File

@ -19,27 +19,27 @@ cluster using their Okta credentials.
This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress, This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress,
and that you have [configured a `FederationDomain` to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}). and that you have [configured a `FederationDomain` to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}).
## Configure your Okta Application ## Create an Okta Application
Follow the instructions for [setting up an application using authcode flow](https://developer.okta.com/docs/guides/implement-auth-code/setup-app/) and create an application. Follow the instructions for [setting up an app using authcode flow](https://developer.okta.com/docs/guides/implement-auth-code/setup-app/) and create an app.
Optionally follow the instructions for [customizing tokens returned from Okta with a groups claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/) Optionally follow the instructions for [customizing tokens returned from Okta with a groups claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/)
if you want to pass users' Okta group information through to your Kubernetes clusters. if you want to pass users' Okta group information through to your Kubernetes clusters.
For example, to create an application: For example, to create an app:
1. In the Okta admin console, navigate to _Applications_ > _Applications_. 1. In the Okta Admin Console, navigate to _Applications_ > _Applications_.
1. Create a new application: 1. Create a new app:
1. Click `Create a new app integration`. 1. Click `Create App Integration`.
1. For `Sign-on method`, select OIDC. 1. For `Sign-on method`, select `OIDC`.
1. For `Application type`, select `Web Application`, then click next. 1. For `Application type`, app `Web Application`, then click next.
1. Enter a name for your application, such as "My Kubernetes Clusters". 1. Enter a name for your app, such as "My Kubernetes Clusters".
1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`. 1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`.
1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration. 1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration.
1. Save the application and make note of the _Client ID_ and _Client Secret_. 1. Save the app and make note of the _Client ID_ and _Client secret_.
1. Navigate to the _Sign On tab_ > _OpenID Connect ID Token_ and click edit. Fill in the Groups claim filter. 1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter.
For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*". For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*".
## Configure the Supervisor cluster ## Configure the Supervisor
Create an [OIDCIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#oidcidentityprovider) in the same namespace as the Supervisor. Create an [OIDCIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#oidcidentityprovider) in the same namespace as the Supervisor.
@ -53,7 +53,7 @@ metadata:
name: okta name: okta
spec: spec:
# Specify the upstream issuer URL. # Specify the upstream issuer URL (no trailing slash).
issuer: https://my-company.okta.com issuer: https://my-company.okta.com
# Request any scopes other than "openid" for claims besides # Request any scopes other than "openid" for claims besides
@ -63,7 +63,8 @@ spec:
# To learn more about how to customize the claims returned, see here: # To learn more about how to customize the claims returned, see here:
# https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/ # https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/
authorizationConfig: authorizationConfig:
additionalScopes: [ groups email ] additionalScopes: [groups, email]
# Specify how Okta claims are mapped to Kubernetes identities. # Specify how Okta claims are mapped to Kubernetes identities.
claims: claims:
@ -92,7 +93,7 @@ stringData:
# The "Client ID" that you got from Okta. # The "Client ID" that you got from Okta.
clientID: "<your-client-id>" clientID: "<your-client-id>"
# The "Client Secret" that you got from Okta. # The "Client secret" that you got from Okta.
clientSecret: "<your-client-secret>" clientSecret: "<your-client-secret>"
``` ```
@ -104,6 +105,6 @@ kubectl describe OIDCIdentityProvider -n pinniped-supervisor okta
Look at the `status` field. If it was configured correctly, you should see `phase: Ready`. Look at the `status` field. If it was configured correctly, you should see `phase: Ready`.
## Next Steps ## Next steps
Now that you have configured the Supervisor to use Okta, you may want to [configure the Concierge to validate JWTs issued by the Supervisor]({{< ref "configure-concierge-jwt" >}}). Now that you have configured the Supervisor to use Okta, you may want to [configure the Concierge to validate JWTs issued by the Supervisor]({{< ref "configure-concierge-jwt" >}}).