Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration
Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration
Author: Pramita Gautam, Kalyaan Krushna Codadu
In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider.
Workspace ONE is designed to provide a management platform that allows IT administrators to centrally control end user’s mobile devices, cloud-hosted virtual desktops, and applications from the cloud or from an on-premises deployment.
In this documentation, Workspace ONE is the identity provider and integrated in it is VMware Tanzu as the pinniped supervisor.
Workspace ONE configuration
- Requirements
- Deploy and configure VMware Workspace ONE Access. If needed, refer to the documentation for more information on Workspace ONE Access.
- Install and configure Workspace ONE Access connector on a Windows server joined to the domain (for integrating with Active Directory and making use of features such as Directory Sync, User Auth, Kerberos Auth, or Virtual App services).
- Click on the Access Connector installer file.
- Accept the EULA.
- Select all the components listed and click Next.
- Browse to the json file generated from Workspace ONE Access, and add the connector screen.
- Select the Custom Installation option.
- If connection between the connector virtual machine (VM) and Workspace ONE Access occurs via proxy servers, select the proxy box and provide the details. Otherwise, click Next, with Enable Proxy unchecked.
- Configure syslog, if available.
- If using Citrix multi-site aggregation, provide the required cofiguration details.
- Provide the root certificate authority (CA) of the Workspace ONE Access appliance.
- Select the default ports and click Next.
- If you have certificate for Kerberos Auth services, select the certificate. Otherwise, leave the box unchecked and click Next to use the self-signed certificate.
- Select any domain user/service account part of the domain that is being integrated with Workspace ONE Access using the following connector instance.
- Click Install to complete the connector installation.
- Once the installation is complete, you should see the connector displayed in Workspace ONE Access UI console.
- Once the connector is updated in the Workspace ONE Access UI, create the directory.
If needed, refer to this documentation for details on installing Workspace ONE Access Connector.
- Perform the following configurations on Workspace ONE Access to create the OpenID Connect (OIDC) Client to be able to integrate with the Tanzu Kubernetes Grid cluster on vSphere.
- Log in to the Workspace ONE Access admin console and navigate to Resources. Select Web Apps from the righthand menu and click NEW.
- Specify a Name to the new web app and click NEXT.
- From the configuration screen
- Specify the Authentication type – OpenID Connect
- Specify the Target URL – This should be the NSX Load Balancer (LB) URL/IP for the pinniped supervisor service running in the Tanzu Kubernetes Grid cluster on vSphere.
Syntax: https://[lb Ip address]/callback
Note: If the Tanzu Kubernetes Grid cluster is not yet created, any IP address could be specified here and updated later, once the cluster is deployed and a LB IP is assigned to the pinniped service.
- Redirect URL – List the same URL mentioned for the Target URL
- Enter a Name for ClientID
Note: This ClientID will be used in the pinniped configured in the Tanzu Kubernetes Grid cluster on vSphere.
- The client secret can be created as specified below on any machine.
- Make sure the toggle buttons for Open in Workspace ONE Web and Show in User Portal are disabled. Click Next.
- Assign an access policy from the drop-down menu or select the default policy.
- Click Save, then Assign.
- Assign the web app now created to the users/groups synced in Workspace ONE Access using the connector installed previously.
Note: Make sure to select Deployment Type as Automatic, when the web app is assigned to users.
- Configure Remote App Access in the Workspace ONE Access console with the following steps.
- In the Workspace ONE Access console navigate to Settings > Remote App Access, then click the newly created web app.
- On the screen that has opened, click Edit next to Scope in the OAuth 2 Client section.
- Select the following scope option check boxes.
- Profile
- User
- NAPPS
- OpenID
- Group
- Click Save.
- Click Next to navigate to Client Configuration. On this screen, uncheck the box for Prompt users for access.
- Ensure the token type is set to Bearer and update/redirect the URL with the correct IP LB for the pinniped supervisor.
Click Save.
- Assign the web app to Users Synced.
- Click Accounts, then navigate to Users.
- Double-click on the username and select the Application Tab.
- Click Assign and select the web app you created in the previous step.
- Ensure you have the Deployment Type set to Automatic. The same is applicable for User Groups.
- Next, we’ll need the root CA of Workspace ONE.
- Log in to the Workspace ONE Access virtual appliance management UI (https://<ws1-fqdn>:8443).
- Navigate to Install SSL Certificates.
- Under Server Certificate select Auto Generate Certificate (self-signed). You should now see the location from which you can download the root CA.
- For an alternate way to obtain the root CA for the VIDM appliance, follow the next steps. Otherwise, skip ahead to Tanzu Kubernetes Grid cluster configuration.
- From any machines with OpenSSL installed, run the following command:
openssl s_client -connect [Ip/fqdn of ws1 appliance]:443 |
- Copy the root CA from the output of the above command and save it in a notepad file.
- You will need to convert this certificate from a base64-encoded format to use for OIDC integration.
- To convert to base64-encoded format:
cat [name to root ca file] | base64 | tr -d ‘\n’ > [output file name]
Tanzu Kubernetes Grid cluster configuration
- For new management of Tanzu Kubernetes Grid clusters follow these steps:
- If management of the Tanzu Kubernetes Grid cluster is to be created using the cluster YAML file, then refer to this documentation.
Update the values related to OIDC in the YAML file as specified below:
IDENTITY_MANAGEMENT_TYPE: oidc OIDC_IDENTITY_PROVIDER_CLIENT_ID: <clientid> OIDC_IDENTITY_PROVIDER_CLIENT_SECRET: <secret> OIDC_IDENTITY_PROVIDER_GROUPS_CLAIM: group_names OIDC_IDENTITY_PROVIDER_ISSUER_URL: https://<WS1-FQDN>/SAAS/auth OIDC_IDENTITY_PROVIDER_SCOPES: openId,email,user,profile,group OIDC_IDENTITY_PROVIDER_USERNAME_CLAIM: email |
Use “tanzu management-cluster create -f <yaml-file>” to create the management cluster.
Use “tanzu cluster create -f <yaml-file>” to create workload clusters.
- If the management Tanzu Kubernetes Grid cluster is to be created using the Tanzu installer, then review this documentation.
In the cluster creation wizard under the Identity Management section, select OIDC and provide the required details as shared.
- After creating the management Tanzu Kubernetes Grid cluster, follow the steps in the Enable and Configure Identity Management in an Existing Deployment of this documentation. To update the pinniped secret file to add the CA of the Workspace ONE Access appliance for the key: “upstream_oidc_tls_ca_data” under the pinniped section.
- To get the CA of Workspace ONE, refer the Workspace ONE configuration section above.
- For existing management Tanzu Kubernetes Grid clusters, the same secret file can be updated with the OIDC details.
- If needed, refer to the Enable and Configure Identity Management in an Existing Deployment section of this documentation.
- Workload Tanzu Kubernetes Grid clusters
- Any workload clusters that you create when you enable identity management in the management cluster are automatically configured to use the same identity management service.
- Before you create workload cluster, remember to unset the variables (e.g., “_TKG_CLUSTER_FORCE_ROLE”) you might have set while updating the management cluster with identity management
How to test
|
For the management Tanzu Kubernetes Grid cluster
kubectl create clusterrolebinding <crr-name> --clusterrole cluster-admin --user <user-email>
tanzu management-cluster kubeconfig get <management-cluster-name> --export-file <file-name>
tanzu login --endpoint https://<LB-ip-mgmt-cluster-control-plane>:6443 --name <mgmt-cluster-name>
|
For the workload Tanzu Kubernetes Grid cluster
kubectl create clusterrolebinding <crr-name> --clusterrole cluster-admin –user <user-email>
tanzu cluster kubeconfig get <workload-cluster-name> --export-file <file-name>
tanzu login --endpoint https://<LB-ip-mgmt-cluster-control-plane>:6443 --name <mgmt-cluster-name>
kubectl config use-context <context-name> --kubeconfig=<workload-kubeconfig>
|
Note: If you also have the groups in Workspace ONE and you want to give access to that group, then create clusterrolebinding with the group email ID and follow the same steps.
- Multiple ADs
In this documentation, we have completed an integration of Tanzu with Workspace ONE, however, we must point out that this is for the use of multiple ADs in Workspace ONE.
Therefore, we can say that we have tested not only the integration of Tanzu with Workspace ONE, but also tested the access of clusters by the users present in multiple ADs in Workspace ONE.
LAB Details
Product specifications |
VMware NSX-T |
3.2.1.2 |
Tanzu Kubernetes Grid on vSphere |
2.1.0 |
|
AVI Load Balancer |
21.1.4 |
|
VMware vCenter Server |
7.0 Update 3h |
|
VMware ESXi |
7.0 Update 3g |
|
Workspace ONE Access |
22.0.9.2 |