a5c481cf61
- Note that Azure AD is being rebranded to Entra ID
75 lines
3.4 KiB
Markdown
75 lines
3.4 KiB
Markdown
---
|
|
title: Configure the Pinniped Concierge to validate JWT tokens issued by the Pinniped Supervisor
|
|
description: Set up JSON Web Token (JWT) based token authentication on an individual Kubernetes cluster using the Pinniped Supervisor as the OIDC provider.
|
|
cascade:
|
|
layout: docs
|
|
menu:
|
|
docs:
|
|
name: With Supervisor
|
|
weight: 40
|
|
parent: howto-configure-concierge
|
|
aliases:
|
|
- /docs/howto/configure-concierge-supervisor-jwt/
|
|
---
|
|
The Concierge can validate [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519), which are commonly issued by [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers.
|
|
|
|
This guide shows you how to use this capability in conjunction with the Pinniped Supervisor.
|
|
Each FederationDomain defined in a Pinniped Supervisor acts as an OIDC issuer.
|
|
By installing the Pinniped Concierge on multiple Kubernetes clusters,
|
|
and by configuring each cluster's Concierge as described below
|
|
to trust JWT tokens from a single Supervisor's FederationDomain,
|
|
your clusters' users may safely use their identity across all of those clusters.
|
|
Users of these clusters will enjoy a unified, once-a-day login experience for all the clusters with their `kubectl` CLI.
|
|
|
|
If you would rather not use the Supervisor, you may want to [configure the Concierge to validate JWT tokens from other OIDC providers]({{< ref "configure-concierge-jwt" >}}) instead.
|
|
|
|
## Prerequisites
|
|
|
|
This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress,
|
|
and that you have [configured a FederationDomain to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}).
|
|
|
|
It also assumes that you have configured an `OIDCIdentityProvider`, `LDAPIdentityProvider`, or `ActiveDirectoryIdentityProvider` for the Supervisor as the source of your user's identities.
|
|
Various examples of configuring these resources can be found in these guides.
|
|
|
|
It also assumes that you have already [installed the Pinniped Concierge]({{< ref "install-concierge" >}})
|
|
on all the clusters in which you would like to allow users to have a unified identity.
|
|
|
|
## Create a JWTAuthenticator
|
|
|
|
Create a JWTAuthenticator describing how to validate tokens from your Supervisor's FederationDomain:
|
|
|
|
```yaml
|
|
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
|
|
kind: JWTAuthenticator
|
|
metadata:
|
|
name: my-supervisor-authenticator
|
|
spec:
|
|
|
|
# The value of the `issuer` field should exactly match the `issuer`
|
|
# field of your Supervisor's FederationDomain.
|
|
issuer: https://my-issuer.example.com/any/path
|
|
|
|
# You can use any `audience` identifier for your cluster, but it is
|
|
# important that it is unique for security reasons.
|
|
audience: my-unique-cluster-identifier-da79fa849
|
|
|
|
# If the TLS certificate of your FederationDomain is not signed by
|
|
# a standard CA trusted by the Concierge pods by default, then
|
|
# specify its CA here as a base64-encoded PEM.
|
|
tls:
|
|
certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0...0tLQo=
|
|
```
|
|
|
|
If you've saved this into a file `my-supervisor-authenticator.yaml`, then install it into your cluster using:
|
|
|
|
```sh
|
|
kubectl apply -f my-supervisor-authenticator.yaml
|
|
```
|
|
|
|
Do this on each cluster in which you would like to allow users from that FederationDomain to log in.
|
|
Don't forget to give each cluster a unique `audience` value for security reasons.
|
|
|
|
## Next steps
|
|
|
|
Next, [log in to your cluster]({{< ref "login" >}})!
|