Md Asraful Haque (Sohel)Goal
The goal of this post is to add authentication to Tekton Dashboard installed at AWS EKS
If you are only interested to install the Dashboard and keep it publicly accessible, have a look at my previous blog post on Expose EKS tekton pipeline dashboard with ssl enabled.
Photo by Iraj Ishtiak on Unsplash
Pre-Requisite
- EKS Cluster
- Kubectl is configured at your local machine
- Tekton pipeline is installed
Strategy
As per the Tekton Dashboard documentation:
The Dashboard does not provide its own authentication or authorization, however it will pass on any authentication headers provided to it by a proxy deployed in front of the Dashboard.
For authentication, there are several options like oauth2-proxy, Keycloak, OpenUnison, Traefik, Istio’s EnvoyFilter. For this tutorial we will use oauth2-proxy.
Workflows
-- There will be a oauth2-proxy service deployed
-- This service will be exposed via the loadbalancer and the loadbalancer will be mapped against the your domain eg tekton-dashboard.myeks.com
-- The upstream of the oauth-proxy service is the tekton-dashboard service.
-- We will use AWS Cognito as the OIDC provider for oauth2-proxy service ie user will be authenticated via AWS Cognito.
-- With the above setup, when the end user will request for the tekton-dashboard (with eg tekton-dashboard.myeks.com) it will first hit the oauth2 proxy service.
-- The oauth2-proxy service will forward the request to AWS Cognito to check if the user is authenticated.
-- If authenticated, the user is logged in and can see the tekton-dashboard.
Step By Step
Install Tekton Dashboard
-- Install the Tekton Dashboard using the official documentation
-- Add a Service to access the Tekton Dashboard eg. tekton-dashboard.yaml:
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-dashboard
app.kubernetes.io/component: dashboard
app.kubernetes.io/instance: default
app.kubernetes.io/name: dashboard
app.kubernetes.io/part-of: tekton-dashboard
app.kubernetes.io/version: v0.49.0
dashboard.tekton.dev/release: v0.49.0
version: v0.49.0
name: tekton-dashboard
namespace: tekton-pipelines
spec:
ports:
- name: http
port: 9097
protocol: TCP
targetPort: 9097
selector:
app.kubernetes.io/component: dashboard
app.kubernetes.io/instance: default
app.kubernetes.io/name: dashboard
app.kubernetes.io/part-of: tekton-dashboard
sessionAffinity: None
Note that this service doesn't have a type so, its of type ClusterIP that means only accessible internally inside the cluster ie this service can be accessed using http://tekton-dashboard:9097.
Setup AWS Cognito
Follow the steps from this blog post on how to setup AWS Cognito for this app
Now We are done with setting up AWS Cognito. Lets move to Oauth2 Proxy.
Get CLIENT_ID, CLIENT_SECRET and oidc-issuer-url from aws cognito to be used in later steps.
Installing and Configuring Oauth2-Proxy
What we have to do now deploy the oauth2 proxy as k8s Deployement, expose that proxy app to the world by creating a service and map the domain name for the service.
Create Tekton Dashboard secret
$ kubectl create secret generic tekton-dashboard-auth \
-n tekton-pipelines \
--from-literal=username=CLIENT_ID \
--from-literal=password=CLIENT_SECRET
You will get the CLIENT_ID and CLIENT_SECRET from your AWS User Pools (see the steps at AWS Cognito post
Add the oauth2-proxy Deployment
Before creating the deployment for oauth2-proxy, check the following values:
-
upstream: This is the url of the tekton-dashboard service. In our case it will behttp://tekton-dashboard:9097. -
redirect-url: The url where the oauth-proxy will be redirected. it will be you tekton-dashboard callback url eg. https://tkn-dashboard.myeks/oauth2/callback -
oidc-issuer-url: The oidc url for your AWSCognito User Pools, It would be like :https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID. For example if your region is eu-west-1 and your user-pool id iseu-west-1-1234, then it will be:https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234. You will find the user-pool id at yourAWS Cognito user-pools overview page. -
cookie-secret: Generate some random string for cookie secret. you can use openssl for that:
$ openssl rand -base64 32 | head -c 32 | base64
To make things easier, I have put the deployment and service file at this eks-tekton github repository. Clone it and add the values of above params at the Deployment manifest.
(Don't apply it yet, we have to change the service as well)
Exposing the oauth2-proxy service with LoadBalancer
Create Certificate
Create Certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.com. Make sure you also validate the certificate.
Add certificate arn at the service
We need to add the following annotations at the service which needs the certificate arn, ie
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
Replace the certificate arn, at your cloned github repository for the tekton-dashboard-auth service
Create the deployment and service
If you are at the root of the cloned github repo and modified as per above steps, now you can apply it
$ kubectl apply -n tekton-pipelines -k tekton-dashboard-oidc
This will create the deployment and corresponding services, and there will be a loadbalancer created which points to the oauth2-proxy service.
Map the domain with Loadbalancer
Now, Find your LoadBalancer from the service:
$ kc get svc tekton-dashboard-auth -n tekton-pipelines
You will get the LoadBalancer URl at the External-IP field.
- With the URL, Locate that LoadBalancer at AWS Console and check at the Listener there is
443port. For the SSL certificate check the certificate you defined at theServicehas been attached at the loadbalancer. - From AWS Route53, Associate your domain name (eg.
tekton-dashboard.myeks.com) with the LoadBalancer. If you are doing it for the first time, you can follow the AWS Routing traffic to an ELB load balancer documentation
That's it now you can browse the tekton dashboard using your domain eg. https://tekton-dashboard.myeks.com and it ask you login with AWS Cognito.
If you put the correct username and password, you will be on the Tekton Dashboard homepage 🎉.
NB. The picture attached at this post not related to content, its just attached to soothe your eyes :)
References:
https://medium.com/octo-technology-morocco/secure-authentication-to-tekton-dashboard-using-oidc-36de9b3f8a7d
https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html
