Merge branch 'main' into cli_username_password_env_vars
This commit is contained in:
commit
e30cf6e51a
@ -4,16 +4,21 @@ This is the current list of maintainers for the Pinniped project.
|
|||||||
|
|
||||||
| Maintainer | GitHub ID | Affiliation |
|
| Maintainer | GitHub ID | Affiliation |
|
||||||
| --------------- | --------- | ----------- |
|
| --------------- | --------- | ----------- |
|
||||||
| Andrew Keesler | [ankeesler](https://github.com/ankeesler) | [VMware](https://www.github.com/vmware/) |
|
|
||||||
| Margo Crawford | [margocrawf](https://github.com/margocrawf) | [VMware](https://www.github.com/vmware/) |
|
| Margo Crawford | [margocrawf](https://github.com/margocrawf) | [VMware](https://www.github.com/vmware/) |
|
||||||
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) | [VMware](https://www.github.com/vmware/) |
|
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) | [VMware](https://www.github.com/vmware/) |
|
||||||
| Mo Khan | [enj](https://github.com/enj) | [VMware](https://www.github.com/vmware/) |
|
| Mo Khan | [enj](https://github.com/enj) | [VMware](https://www.github.com/vmware/) |
|
||||||
| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) | [VMware](https://www.github.com/vmware/) |
|
| Anjali Telang | [anjaltelang](https://github.com/anjaltelang) | [VMware](https://www.github.com/vmware/) |
|
||||||
| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) |
|
| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) |
|
||||||
|
|
||||||
|
## Emeritus Maintainers
|
||||||
|
|
||||||
|
* Andrew Keesler, [ankeesler](https://github.com/ankeesler)
|
||||||
|
* Pablo Schuhmacher, [pabloschuhmacher](https://github.com/pabloschuhmacher)
|
||||||
|
|
||||||
## Pinniped Contributors & Stakeholders
|
## Pinniped Contributors & Stakeholders
|
||||||
|
|
||||||
| Feature Area | Lead |
|
| Feature Area | Lead |
|
||||||
| ----------------------------- | :---------------------: |
|
| ----------------------------- | :---------------------: |
|
||||||
| Technical Lead | Matt Moyer (mattmoyer) |
|
| Technical Lead | Matt Moyer (mattmoyer) |
|
||||||
| Product Management | Pablo Schuhmacher (pabloschuhmacher) |
|
| Product Management | Anjali Telang (anjaltelang) |
|
||||||
|
| Community Management | Nanci Lancaster (microwavables) |
|
||||||
|
@ -38,7 +38,7 @@ Theme|Description|Timeline|
|
|||||||
|--|--|--|
|
|--|--|--|
|
||||||
|Remote OIDC login support|Add support for logging in from remote hosts without web browsers in the Pinniped CLI and Supervisor|Jul 2021|
|
|Remote OIDC login support|Add support for logging in from remote hosts without web browsers in the Pinniped CLI and Supervisor|Jul 2021|
|
||||||
|AD Support|Extends upstream IDP protocols|Jul 2021|
|
|AD Support|Extends upstream IDP protocols|Jul 2021|
|
||||||
|Wider Concierge cluster support|Support for more cluster types in the Concierge|Jul 2021|
|
|Wider Concierge cluster support|Support for more cluster types in the Concierge|Aug 2021|
|
||||||
|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|Exploring/Ongoing|
|
|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|Exploring/Ongoing|
|
||||||
|Identity transforms|Support prefixing, filtering, or performing coarse-grained checks on upstream users and groups|Exploring/Ongoing|
|
|Identity transforms|Support prefixing, filtering, or performing coarse-grained checks on upstream users and groups|Exploring/Ongoing|
|
||||||
|Extended IDP support|Support more types of identity providers on the Supervisor|Exploring/Ongoing|
|
|Extended IDP support|Support more types of identity providers on the Supervisor|Exploring/Ongoing|
|
||||||
|
138
site/content/docs/howto/configure-supervisor-with-dex.md
Normal file
138
site/content/docs/howto/configure-supervisor-with-dex.md
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
---
|
||||||
|
title: Configure the Pinniped Supervisor to use Dex with Github as an OIDC provider
|
||||||
|
description: Set up the Pinniped Supervisor to use Dex login.
|
||||||
|
cascade:
|
||||||
|
layout: docs
|
||||||
|
menu:
|
||||||
|
docs:
|
||||||
|
name: Configure Supervisor With Dex OIDC
|
||||||
|
weight: 80
|
||||||
|
parent: howtos
|
||||||
|
---
|
||||||
|
|
||||||
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
|
"upstream" identity provider to many "downstream" cluster clients.
|
||||||
|
|
||||||
|
This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes
|
||||||
|
cluster using Dex and Github.
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress,
|
||||||
|
and that you have [configured a FederationDomain to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}).
|
||||||
|
|
||||||
|
You'd also have to have an instance of Dex up and running, i.e. accessible at `https://<dex-dns-record>`. You can refer to the [Getting started with Dex](https://dexidp.io/docs/getting-started/) guidelines for more information on how to deploy it.
|
||||||
|
|
||||||
|
## Configure Dex to use Github as an external identity provider
|
||||||
|
|
||||||
|
Dex is an OIDC issuer that supports various identity providers through connectors, i.e. LDAP, Github, Gitlab, Google, SAML and much more. Take a look at its [documentation](https://dexidp.io/docs/connectors/) to understand how to configure such connector in Dex.
|
||||||
|
|
||||||
|
In this example, we'll show how to use Dex to identify users through their GitHub account.
|
||||||
|
|
||||||
|
First, we need to go to your Github account settings and [create an OAuth app](https://github.com/settings/applications/new) by populating the following rows -
|
||||||
|
|
||||||
|
- Application name - `Dex application`
|
||||||
|
- Homepage URL - `https://<dex-dns-record>`
|
||||||
|
- Authorization callback URL - `https://<dex-dns-record>/callback` // this is where Github will redirect you to once your app has authorized
|
||||||
|
|
||||||
|
Once completed, copy your `Client ID` and `Client secret` (generate one if there's none) as those two will be needed to configure a Github connector in Dex.
|
||||||
|
|
||||||
|
To setup one, edit the configuration used by Dex by adding the following -
|
||||||
|
|
||||||
|
```bash
|
||||||
|
...
|
||||||
|
connectors:
|
||||||
|
- type: github
|
||||||
|
id: github
|
||||||
|
name: GitHub
|
||||||
|
config:
|
||||||
|
clientID: $GITHUB_CLIENT_ID
|
||||||
|
clientSecret: $GITHUB_CLIENT_SECRET
|
||||||
|
redirectURI: https://<dex-dns-record>/callback
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
## Register an application in Dex
|
||||||
|
|
||||||
|
Follow the instructions for [registering an application in Dex](https://dexidp.io/docs/using-dex/#configuring-your-app) and create a static client application, in our case the client happens be the Supervisor. Note that the "openid" scope is always included, but you can always request additional scopes that you can then pass to your Kubernetes cluster, such as "groups" for example.
|
||||||
|
|
||||||
|
To create a static client application, edit the configuration used by Dex (can be a file or a ConfigMap) by adding the following -
|
||||||
|
|
||||||
|
```bash
|
||||||
|
...
|
||||||
|
staticClients:
|
||||||
|
- id: pinniped-supervisor
|
||||||
|
secret: pinniped-supervisor-secret
|
||||||
|
name: 'Pinniped Supervisor client'
|
||||||
|
redirectURIs:
|
||||||
|
- 'http://<pinniped-supervisor-dns-record>/callback'
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configure the Supervisor
|
||||||
|
|
||||||
|
Create an [OIDCIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#oidcidentityprovider) resource in the same namespace as the Supervisor.
|
||||||
|
|
||||||
|
For example, the following OIDCIdentityProvider and the corresponding Secret use Dex's `email` claim as the Kubernetes username:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
|
||||||
|
kind: OIDCIdentityProvider
|
||||||
|
metadata:
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
name: dex
|
||||||
|
spec:
|
||||||
|
# Specify the upstream issuer URL (no trailing slash).
|
||||||
|
issuer: https://<dex-dns-record>
|
||||||
|
|
||||||
|
# Request any scopes other than "openid" for claims besides
|
||||||
|
# the default claims in your token. The "openid" scope is always
|
||||||
|
# included.
|
||||||
|
authorizationConfig:
|
||||||
|
additionalScopes: [groups, email]
|
||||||
|
|
||||||
|
# Specify how Dex claims are mapped to Kubernetes identities.
|
||||||
|
claims:
|
||||||
|
# Specify the name of the claim in your Dex ID token that will be mapped
|
||||||
|
# to the "username" claim in downstream tokens minted by the Supervisor.
|
||||||
|
username: email
|
||||||
|
|
||||||
|
# Specify the name of the claim in your Dex ID token that represents the groups
|
||||||
|
# that the user belongs to. This matches what you specified above
|
||||||
|
# with the Groups claim filter.
|
||||||
|
# Note that the group claims from Github are in the format of "org:team".
|
||||||
|
# To query for the group scope, you should set the organization you want Dex to
|
||||||
|
# search against in its configuration, otherwise your group claim would be empty.
|
||||||
|
# An example config can be found at - https://dexidp.io/docs/connectors/github/#configuration
|
||||||
|
groups: groups
|
||||||
|
|
||||||
|
# Specify the name of the Kubernetes Secret that contains your Dex
|
||||||
|
# application's client credentials (created below).
|
||||||
|
client:
|
||||||
|
secretName: dex-client-credentials
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
name: dex-client-credentials
|
||||||
|
type: secrets.pinniped.dev/oidc-client
|
||||||
|
stringData:
|
||||||
|
# The "Client ID" that you set in Dex. For example, in our case this is "pinniped-supervisor"
|
||||||
|
clientID: "<your-client-id>"
|
||||||
|
|
||||||
|
# The "Client secret" that you set in Dex. For example, in our case this is "pinniped-supervisor-secret"
|
||||||
|
clientSecret: "<your-client-secret>"
|
||||||
|
```
|
||||||
|
|
||||||
|
Once your OIDCIdentityProvider resource has been created, you can validate your configuration by running:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl describe OIDCIdentityProvider -n pinniped-supervisor dex
|
||||||
|
```
|
||||||
|
|
||||||
|
Look at the `status` field. If it was configured correctly, you should see `phase: Ready`.
|
||||||
|
|
||||||
|
## Next steps
|
||||||
|
|
||||||
|
Now that you have configured the Supervisor to use Dex, you will want to [configure the Concierge to validate JWTs issued by the Supervisor]({{< ref "configure-concierge-supervisor-jwt" >}}).
|
@ -2,13 +2,6 @@
|
|||||||
<div class="wrapper">
|
<div class="wrapper">
|
||||||
<h2>The Pinniped Project Team:</h2>
|
<h2>The Pinniped Project Team:</h2>
|
||||||
<div class="grid three">
|
<div class="grid three">
|
||||||
<div class="bio">
|
|
||||||
<div class="image"><img src="/img/andrew-keesler.png" /></div>
|
|
||||||
<div class="info">
|
|
||||||
<p class="name">Andrew Keesler</p>
|
|
||||||
<p class="position">Engineer</p>
|
|
||||||
</div>
|
|
||||||
</div>
|
|
||||||
<div class="bio">
|
<div class="bio">
|
||||||
<div class="image"><img src="/img/margo-crawford.png" /></div>
|
<div class="image"><img src="/img/margo-crawford.png" /></div>
|
||||||
<div class="info">
|
<div class="info">
|
||||||
@ -38,9 +31,9 @@
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="bio">
|
<div class="bio">
|
||||||
<div class="image"><img src="/img/pablo-schuhmacher.png" /></div>
|
<div class="image"><img src="/img/Anjali-Telang.png" /></div>
|
||||||
<div class="info">
|
<div class="info">
|
||||||
<p class="name">Pablo Schuhmacher</p>
|
<p class="name">Anjali Telang</p>
|
||||||
<p class="position">Product Manager</p>
|
<p class="position">Product Manager</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
BIN
site/themes/pinniped/static/img/Anjali-Telang.png
Normal file
BIN
site/themes/pinniped/static/img/Anjali-Telang.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
Before Width: | Height: | Size: 28 KiB |
Binary file not shown.
Before Width: | Height: | Size: 30 KiB |
@ -54,6 +54,7 @@ spec:
|
|||||||
initContainers:
|
initContainers:
|
||||||
- name: generate-certs
|
- name: generate-certs
|
||||||
image: #@ data.values.cfssl_image
|
image: #@ data.values.cfssl_image
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
command: ["/bin/bash"]
|
command: ["/bin/bash"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
@ -111,6 +112,7 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
- name: save-certs
|
- name: save-certs
|
||||||
image: #@ data.values.kubectl_image
|
image: #@ data.values.kubectl_image
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
command: ["/bin/bash"]
|
command: ["/bin/bash"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
@ -69,6 +69,7 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
- name: dex
|
- name: dex
|
||||||
image: #@ data.values.dex_image
|
image: #@ data.values.dex_image
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- /usr/local/bin/dex
|
- /usr/local/bin/dex
|
||||||
- serve
|
- serve
|
||||||
|
@ -210,6 +210,7 @@ spec:
|
|||||||
#! LDAP_SERVER_CONFIG_BEFORE_CUSTOM_LDIF_DIR and LDAP_SERVER_CONFIG_AFTER_CUSTOM_LDIF_DIR options.
|
#! LDAP_SERVER_CONFIG_BEFORE_CUSTOM_LDIF_DIR and LDAP_SERVER_CONFIG_AFTER_CUSTOM_LDIF_DIR options.
|
||||||
#! See https://github.com/pinniped-ci-bot/bitnami-docker-openldap/tree/pinniped
|
#! See https://github.com/pinniped-ci-bot/bitnami-docker-openldap/tree/pinniped
|
||||||
image: #@ data.values.ldap_image
|
image: #@ data.values.ldap_image
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
ports:
|
ports:
|
||||||
- name: ldap
|
- name: ldap
|
||||||
containerPort: 1389
|
containerPort: 1389
|
||||||
|
@ -26,6 +26,7 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
- name: proxy
|
- name: proxy
|
||||||
image: #@ data.values.proxy_image
|
image: #@ data.values.proxy_image
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
containerPort: 3128
|
containerPort: 3128
|
||||||
@ -48,6 +49,7 @@ spec:
|
|||||||
failureThreshold: 2
|
failureThreshold: 2
|
||||||
- name: accesslogs
|
- name: accesslogs
|
||||||
image: #@ data.values.proxy_image
|
image: #@ data.values.proxy_image
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- "/bin/sh"
|
- "/bin/sh"
|
||||||
- "-c"
|
- "-c"
|
||||||
|
@ -27,8 +27,8 @@ pinny_bcrypt_passwd_hash:
|
|||||||
pinny_ldap_password:
|
pinny_ldap_password:
|
||||||
|
|
||||||
#! Images for each of the deployed test components.
|
#! Images for each of the deployed test components.
|
||||||
dex_image: ghcr.io/dexidp/dex:v2.27.0
|
dex_image: ghcr.io/pinniped-ci-bot/test-dex:latest
|
||||||
ldap_image: projects.registry.vmware.com/pinniped/test-ldap:latest
|
ldap_image: ghcr.io/pinniped-ci-bot/test-ldap:latest
|
||||||
proxy_image: projects.registry.vmware.com/pinniped/test-forward-proxy:latest
|
proxy_image: ghcr.io/pinniped-ci-bot/test-forward-proxy:latest
|
||||||
cfssl_image: cfssl/cfssl:1.5.0
|
cfssl_image: ghcr.io/pinniped-ci-bot/test-cfssl:latest
|
||||||
kubectl_image: bitnami/kubectl:latest
|
kubectl_image: ghcr.io/pinniped-ci-bot/test-kubectl:latest
|
||||||
|
Loading…
Reference in New Issue
Block a user