Minor cleanups on the new Supervisor+Okta docs page.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
36168122cc
commit
1ab1d41735
@ -19,27 +19,27 @@ cluster using their Okta credentials.
|
||||
This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress,
|
||||
and that you have [configured a `FederationDomain` to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}).
|
||||
|
||||
## Configure your Okta Application
|
||||
## Create an Okta Application
|
||||
|
||||
Follow the instructions for [setting up an application using authcode flow](https://developer.okta.com/docs/guides/implement-auth-code/setup-app/) and create an application.
|
||||
Follow the instructions for [setting up an app using authcode flow](https://developer.okta.com/docs/guides/implement-auth-code/setup-app/) and create an app.
|
||||
Optionally follow the instructions for [customizing tokens returned from Okta with a groups claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/)
|
||||
if you want to pass users' Okta group information through to your Kubernetes clusters.
|
||||
|
||||
For example, to create an application:
|
||||
For example, to create an app:
|
||||
|
||||
1. In the Okta admin console, navigate to _Applications_ > _Applications_.
|
||||
1. Create a new application:
|
||||
1. Click `Create a new app integration`.
|
||||
1. For `Sign-on method`, select OIDC.
|
||||
1. For `Application type`, select `Web Application`, then click next.
|
||||
1. Enter a name for your application, such as "My Kubernetes Clusters".
|
||||
1. In the Okta Admin Console, navigate to _Applications_ > _Applications_.
|
||||
1. Create a new app:
|
||||
1. Click `Create App Integration`.
|
||||
1. For `Sign-on method`, select `OIDC`.
|
||||
1. For `Application type`, app `Web Application`, then click next.
|
||||
1. Enter a name for your app, such as "My Kubernetes Clusters".
|
||||
1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`.
|
||||
1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration.
|
||||
1. Save the application and make note of the _Client ID_ and _Client Secret_.
|
||||
1. Navigate to the _Sign On tab_ > _OpenID Connect ID Token_ and click edit. Fill in the Groups claim filter.
|
||||
1. Save the app and make note of the _Client ID_ and _Client secret_.
|
||||
1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter.
|
||||
For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*".
|
||||
|
||||
## Configure the Supervisor cluster
|
||||
## Configure the Supervisor
|
||||
|
||||
Create an [OIDCIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#oidcidentityprovider) in the same namespace as the Supervisor.
|
||||
|
||||
@ -53,7 +53,7 @@ metadata:
|
||||
name: okta
|
||||
spec:
|
||||
|
||||
# Specify the upstream issuer URL.
|
||||
# Specify the upstream issuer URL (no trailing slash).
|
||||
issuer: https://my-company.okta.com
|
||||
|
||||
# Request any scopes other than "openid" for claims besides
|
||||
@ -63,7 +63,8 @@ spec:
|
||||
# To learn more about how to customize the claims returned, see here:
|
||||
# https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/
|
||||
authorizationConfig:
|
||||
additionalScopes: [ groups email ]
|
||||
additionalScopes: [groups, email]
|
||||
|
||||
# Specify how Okta claims are mapped to Kubernetes identities.
|
||||
claims:
|
||||
|
||||
@ -92,7 +93,7 @@ stringData:
|
||||
# The "Client ID" that you got from Okta.
|
||||
clientID: "<your-client-id>"
|
||||
|
||||
# The "Client Secret" that you got from Okta.
|
||||
# The "Client secret" that you got from Okta.
|
||||
clientSecret: "<your-client-secret>"
|
||||
```
|
||||
|
||||
@ -104,6 +105,6 @@ kubectl describe OIDCIdentityProvider -n pinniped-supervisor okta
|
||||
|
||||
Look at the `status` field. If it was configured correctly, you should see `phase: Ready`.
|
||||
|
||||
## Next Steps
|
||||
## Next steps
|
||||
|
||||
Now that you have configured the Supervisor to use Okta, you may want to [configure the Concierge to validate JWTs issued by the Supervisor]({{< ref "configure-concierge-jwt" >}}).
|
||||
|
Loading…
Reference in New Issue
Block a user