BYO Certs for TKG 1.5.3+ Auth

  1. Setup DNS
  2. Generate Certificates and Add to Cluster
  3. Update Pinniped Core Package
  4. “Post” Post Pinniped Deploy Configuration

Initial Setup

I’ve deployed the management cluster with IDENTITY_MANAGEMENT_TYPE set to LDAP. My management cluster is named mgmt, and I want my FQDNs to be pinniped.mgmt.tanzu-lab.winterfell.life and dex.mgmt.tanzu-lab.winterfell.life. I have an offline process to generate certificates for my organization.

Setup DNS

First we setup the DNS entries for the custom FQDNs for the Pinniped Supervisor and Dex services.

$ kubectl get service pinniped-supervisor -n pinniped-supervisor
$ kubectl get service dexsvc -n tanzu-system-auth

Generate Certificates and Add to Cluster

Next follow your process to generate certificates in your organization for the desired FQDN. Create a secrets in the pinniped-supervisor and tanzu-system-auth namespace called custom-auth-cert-tls with the tls.key, tls.crt, and ca.crt.

$ kubectl create secret generic custom-auth-cert-tls \
--namespace pinniped-supervisor \
--type=tls \
--from-file=tls.key=path/to/key/file \
--from-file=tls.crt=path/to/cert/file \
--from-file=ca.crt=path/to/ca/file
$ kubectl create secret generic custom-auth-cert-tls \
--namespace tanzu-system-auth \
--type=tls \
--from-file=tls.key=path/to/key/file \
--from-file=tls.crt=path/to/cert/file \
--from-file=ca.crt=path/to/ca/file

Update Pinniped Core Package

Now that the certificates are in place, we need to update the Pinniped package to tell it about the secrets.

$ MGMT_CLUSTER_NAME=mgmt # udpate accordingly$ kubectl get secret $MGMT_CLUSTER_NAME-pinniped-addon -n tkg-system -ojsonpath="{.data.values\.yaml}" | base64 --decode > /tmp/pinniped-addon-values.yaml
...
custom_tls_secret: "custom-auth-cert-tls"
...
pinniped:
...
supervisor_svc_external_dns: https://pinniped.mgmt.tanzu-lab.winterfell.life # but with your domain
...
$ NEW_VALUES_YAML=`cat /tmp/pinniped-addon-values.yaml | base64`$ kubectl patch secret $MGMT_CLUSTER_NAME-pinniped-addon -n tkg-system -p '{"data": {"values.yaml": "'$NEW_VALUES_YAML'"}}'
$ kubectl get jobs -n pinniped-supervisor
NAME COMPLETIONS DURATION AGE
pinniped-post-deploy-job 1/1 6m44s 6m44s

“Post” Post Pinniped Deploy Configuration (LDAP Only)

The pinniped-post-deploy-job updates resources based upon the configuration. However, for LDAP configuration, it does not know about our dex FQDNs. So we need to manually update the dex config map and OIDCIdentityProvider pinniped resources with references to our dex FQDN used for our custom TLS certificates.

$ DEX_URL=https://dex.mgmt.tanzu-lab.winterfell.life$ kubectl edit cm dex -n tanzu-system-auth# edit and save configmap ......
data:
config.yaml:
issuer = <dex_url_from_above>
...
# And bounce dex$ kubectl rollout restart deployment dex --namespace tanzu-system-auth# Patch the OIDCIdentityProvider$ kubectl patch oidcidentityprovider upstream-oidc-identity-provider \
-n pinniped-supervisor \
--type json \
-p="[{'op': 'replace', 'path': '/spec/issuer', 'value':'$DEX_URL'}]"
$ MGMT_CLUSTER_NAME=mgmt # udpate accordingly$ tanzu management-cluster kubeconfig get$ kubectl config use-context tanzu-cli-$MGMT_CLUSTER_NAME@$MGMT_CLUSTER_NAME$ kubectl get all

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dodd Pfeffer

Dodd Pfeffer

Solution Engineer working at VMware Tanzu team helping customers achieve success with Kubernetes