Configure Dex as external IDP for OIDC integration with vSphere 8 and TKG 2¶
The steps in this post describe a quick way to test the newly introduced OIDC integration feature that can be leveraged using Supervisor clusters deployed on vSphere 8. In this post, we will set up Dex backed by LDAP as the external IDP and configure it to work with Supervisor clusters.
Pre-requisites¶
- A VM or host with docker pre-installed
- We will use this host to set up a containerized Dex environment backed with LDAP
- This host must have network connectivity to vCenter and the Supervisor VMs
- We will refer to the IP of this VM as
HOST_IPthroughout this post. - WCP service enabled and configured on vSphere 8
Setup LDAP¶
Install ldap-utils¶
# Ubuntu
sudo apt install ldap-utils -y
export HOST_IP=<IP>
sudo ufw allow 389
sudo ufw allow 636
sudo ufw allow 5556
sudo ufw allow 5558
# Centos
sudo yum install -y openldap-clients
export HOST_IP=<IP>
Start dockerized LDAP server¶
export HOST_IP=$(ifconfig | grep "192.168.10" | awk '{print $2}')
sudo docker run --name tanzu-ldap -p 389:389 -p 636:636 \
--env LDAP_TLS_VERIFY_CLIENT=try \
--env LDAP_ORGANISATION="VMware Tanzu" \
--env LDAP_DOMAIN="vmware.tanzu" \
--env LDAP_ADMIN_PASSWORD="changeme" \
--detach harbor.tanzu-gss-labs.vmware.com/docker-hub-cache/osixia/openldap:latest
Create test LDAP users and groups¶
cat > $HOME/ldap-records.ldif <<EOF
# USERS
# alana, vmware.tanzu
dn: cn=alana,dc=vmware,dc=tanzu
objectClass: simpleSecurityObject
objectclass: iNetOrgPerson
sn: op
cn: alana
mail: alana@vmware.com
description: Alana
userPassword: changeme
# naomi, vmware.tanzu
dn: cn=naomi,dc=vmware,dc=tanzu
objectClass: simpleSecurityObject
objectclass: iNetOrgPerson
sn: dev
cn: naomi
mail: naomi@vmware.com
description: Naomi
userPassword: changeme
# GROUPS, vmware.tanzu
dn: ou=groups,dc=vmware,dc=tanzu
objectClass: organizationalUnit
ou: groups
# cluster-admins, groups, vmware.tanzu
dn: cn=cluster-admins,ou=groups,dc=vmware,dc=tanzu
objectClass: groupOfNames
objectClass: top
cn: cluster-admins
description: Admin Group
member: cn=alana,dc=vmware,dc=tanzu
# cluster-devs, groups, vmware.tanzu
dn: cn=cluster-devs,ou=groups,dc=vmware,dc=tanzu
objectClass: groupOfNames
objectClass: top
cn: cluster-devs
description: developers
member: cn=naomi,dc=vmware,dc=tanzu
EOF
Add users using ldapadd¶
ldapadd -x -H ldap://$HOST_IP -D "cn=admin,dc=vmware,dc=tanzu" -w changeme -f ldap-records.ldif
adding new entry "cn=alana,dc=vmware,dc=tanzu"
adding new entry "cn=naomi,dc=vmware,dc=tanzu"
adding new entry "ou=groups,dc=vmware,dc=tanzu"
adding new entry "cn=cluster-admins,ou=groups,dc=vmware,dc=tanzu"
adding new entry "cn=cluster-devs,ou=groups,dc=vmware,dc=tanzu"
Setup Dex as an OIDC provider¶
Generate certs¶
mkdir -p $HOME/dex/examples/grpc-client/
wget https://raw.githubusercontent.com/dexidp/dex/master/examples/grpc-client/openssl.conf -O $HOME/dex/examples/grpc-client/openssl.conf
pushd $HOME/dex
wget https://raw.githubusercontent.com/dexidp/dex/master/examples/grpc-client/cert-gen
chmod +x cert-gen
export SAN=IP.1:127.0.0.1,IP.2:$HOST_IP
./cert-gen
popd
chmod -R 777 $HOME/dex
Generate dex config¶
Get the Identity provider callback URL¶
export REDIRECT_IP="192.168.40.13"
cat << EOF > $HOME/dex/dex-ldap-config.yml
issuer: https://$HOST_IP:5556/dex
storage:
type: sqlite3
config:
file: /serve-config/dex.db
web:
http: 0.0.0.0:5558
https: 0.0.0.0:5556
tlsCert: /serve-config/server.crt
tlsKey: /serve-config/server.key
connectors:
- type: ldap
name: OpenLDAP
id: ldap
config:
host: $HOST_IP:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: cn=admin,dc=vmware,dc=tanzu
bindPW: changeme
usernamePrompt: Email Address
userSearch:
baseDN: dc=vmware,dc=tanzu
filter: "(objectClass=iNetOrgPerson)"
username: mail
idAttr: DN
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: ou=groups,dc=vmware,dc=tanzu
filter: "(objectClass=groupOfNames)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
staticClients:
- id: example-app
redirectURIs:
- 'https://$REDIRECT_IP/wcp/pinniped/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
EOF
Run dockerized Dex¶
docker run --name tanzu-dex \
-v $(pwd)/dex:/serve-config \
-p 5556:5556 \
-p 5558:5558 \
--detach harbor.tanzu-gss-labs.vmware.com/docker-hub-cache/bitnami/dex:2.33.0 serve /serve-config/dex-ldap-config.yml
docker logs tanzu-dex
time="2022-09-09T04:50:16Z" level=info msg="Dex Version: v2.33.0-dirty, Go Version: go1.18.3, Go OS/ARCH: linux amd64"
time="2022-09-09T04:50:16Z" level=info msg="config issuer: https://192.168.10.138:5556/dex"
time="2022-09-09T04:50:16Z" level=info msg="config storage: sqlite3"
time="2022-09-09T04:50:16Z" level=info msg="config static client: Example App"
time="2022-09-09T04:50:16Z" level=info msg="config connector: ldap"
time="2022-09-09T04:50:16Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-09-09T04:50:16Z" level=info msg="keys expired, rotating"
time="2022-09-09T04:50:16Z" level=info msg="keys rotated, next rotation: 2022-09-09 10:50:16.409769341 +0000 UTC"
time="2022-09-09T04:50:16Z" level=info msg="listening (http) on 0.0.0.0:5558"
time="2022-09-09T04:50:16Z" level=info msg="listening (https) on 0.0.0.0:5556"
Configure Identity Provider in vCenter¶
Add provider¶
Provider Configuration¶
- Provider Name -
tanzu-dex - Issuer URL -
https://192.168.10.138:5556/dex - Username Claim (optional) -
email - Groups Claim (optional) - Leave it blank
OAuth 2.0 Client Details¶
- Client ID -
example-app - Client Secret -
ZXhhbXBsZS1hcHAtc2VjcmV0 - This value should be base64 encoded and the same as
staticClients.secretsfrom$HOME/dex/dex-ldap-config.yml
Additional Settings¶
- Certificate Authority Data -
cat $HOME/dex/ca.crt
Review and Confirm¶
Configuration Complete¶
Tanzu login¶
tanzu login --endpoint https://192.168.40.13 --name oom-sup-p
ℹ Detected a vSphere Supervisor being used
E0909 01:10:04.454157 14759 login.go:578] "msg"="could not open browser" "error"="exec: \"xdg-open,x-www-browser,www-browser\": executable file not found in $PATH"
Log in by visiting this link:
https://192.168.40.13/wcp/pinniped/oauth2/authorize?access_type=offline&client_id=pinniped-cli&code_challenge=0uAXiHS34Zo05octm964iQ-cmaQ2b5Cx_H_fv15JCcc&code_challenge_method=S256&nonce=38b440523058f3d5a9ae71021152ae1b&redirect_uri=http%3A%2F%2F127.0.0.1%3A40087%2Fcallback&response_mode=form_post&response_type=code&scope=offline_access+openid+pinniped%3Arequest-audience&state=3830e0f5b1fd8d9f7739f976a5480b8c
Optionally, paste your authorization code: [...]
✔ successfully logged in to management cluster using the kubeconfig oom-sup-p
Checking for required plugins...
Installing plugin 'cluster:v0.25'
Installing plugin 'feature:v0.25'
Installing plugin 'kubernetes-release:v0.25'
Installing plugin 'namespaces:v1.0.0'
Successfully installed all required plugins
