Application Single Sign-On (AppSSO) – Static Test User Configuration for VMware Tanzu Application Platform

How to deploy an authorization server with static test users along with a Tanzu Application Platform iterate profile

Author: Indu R Pillai

Application Single Sign-On for VMware Tanzu, short AppSSO, provides APIs for curating and consuming a “single sign-on as a service” offering on VMware Tanzu Application Platform. With AppSSO, Service Operators can configure and deploy authorization servers. Application Operators can then configure their workloads with these authorization servers to provide single sign-on to their end users.

During development, static users may be useful for testing purposes. This blog provides steps to deploy an authorization server with static test users along with a Tanzu Application Platform iterate profile. This feature helps to integrate authentication and authorization decisions early in the software development and release lifecycle.

 

Prerequisites

  • Cluster with TAP iterate profile installed
  • Access to Tanzunet
  • Docker running on a local machine/client.
  • Tanzu CLI(v0.25.0)
  • Kubectl
  • TAP 1.3.0

Install AppSSO Package

AppSSO Package is available from Tanzu Application Platform 1.2.0 with profiles full, iterate, and run. In this example, we are using Tanzu Application Platform version 1.3.0 with the iterate profile to set up AppSSO (2.0.0).

  1. Create ‘tap-values.yaml’ with the iterate profile.

profile: iterate
ceip_policy_disclosed: true
buildservice:
  kp_default_repository: <KP-DEFAULT-REPOSITORY>
  kp_default_repository_password: <KP-DEFAULT-REPOSITORY-PASSWORD>
  kp_default_repository_username: <KP-DEFAULT-REPOSITORY-USERNAME>
supply_chain: basic
ootb_supply_chain_basic:
  registry:
    server: <SERVER>
    repository: <REPOSITORY>
  gitops:
    ssh_secret: ""
contour:
  envoy:
    service:
      type: LoadBalancer
shared:

  ingress_domain: <INGRESS-DOMAIN> #e.g. apps.appssotest.cloudfocused.in

 

excluded_packages:

- policy.apps.tanzu.vmware.com

  1. Update shared.ingress_domain section with ingress domain. INGRESS-DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s external IP address.
  1. Install Tanzu Application Platform with TAP_VERSION 1.2.0 or above. In this example, we are using TAP version 1.3.0.

$ tanzu package installed update tap -p tap.tanzu.vmware.com -v <TAP_VERSION> --values-file tap-values.yaml -n tap-install

 

  1. Verify AppSSO is installed.

$ kubectl get pkgi -A |  grep appsso
tap-install   appsso                     sso.apps.tanzu.vmware.com                            1.0.0             Reconcile succeeded   21m

 

For more information, please find the Tanzu Application Platform installation guidelines in the official documentation.

Setup Auth server

  1. Create authservers namespace for deploying authservers.

$ kubectl create ns authservers

2.     Create authserver_unsafe_user.yaml with AuthServer configurations for using Internal unsafe user.

---
apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
kind: AuthServer
metadata:
name: authserver-sample
namespace: authservers
labels:
   name: authserver-sample
   env: dev
annotations:
   sso.apps.tanzu.vmware.com/allow-client-namespaces: "*"
   sso.apps.tanzu.vmware.com/allow-unsafe-issuer-uri: ""
   sso.apps.tanzu.vmware.com/allow-unsafe-identity-provider: ""

spec:

 tls:

    disabled: true
identityProviders:
   - name: test-users
     internalUnsafe:
       users:
         - username: ernie
           password: "password" # plain text
           roles:
             - "silly"
         - username: bert
           password: "{bcrypt}$2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK" # bcrypt-encoded "password"
           roles:
             - "grumpy"
tokenSignature:
   signAndVerifyKeyRef:
     name: my-token-signing-key

---
apiVersion: secretgen.k14s.io/v1alpha1
kind: RSAKey
metadata:
  name: my-token-signing-key
  namespace: authservers
spec:
  secretTemplate:
    type: Opaque
    stringData:
      key.pem: $(privateKey)
      pub.pem: $(publicKey)

 

 

Please note: AppSSO will template the issuer URI and create a TLS-enabled Ingress for it. Once you create the AuthServer, you can find the actual URL in .status.issuerURI. In this configuration, we have disabled TLS and used the unsafe configuration. If issuer URL is not https, make sure to add the annotation: sso.apps.tanzu.vmware.com/allow-unsafe-issuer-uri: "" in authserver_unsafe_user.yaml

  1. Apply authserver_unsafe_user.yaml to authservers namespace.

$ kubectl apply -f authserver_unsafe_user.yaml

 

authserver.sso.apps.tanzu.vmware.com/authserver-sample created
rsakey.secretgen.k14s.io/my-token-signing-key created
  1. Verify authserver is successfully deployed.

 $ kubectl get authserver authserver-sample -n authservers

NAME                REPLICAS   ISSUER URI                                                             CLIENTS   STATUS

authserver-sample   2          http://authserver-sample.authservers.apps.appssotest.cloudfocused.in   0         Ready

 

 

  1. Verify the test user can login:
    1. Go to the issuer URI (e.g. http://authserver-sample.authservers.apps.appssotest.cloudfocused.in/).

  1. Enter the username as “ernie” (test user mentioned in authserver_unsafe_user.yaml). Click submit.
  2. Enter password as “password”. Click on Sign-In.
  3. Verify login is successful with message “This is the home page placeholder. You have successfully logged in, but have nowhere to go.”

 

Set up workload

  1. Create a namespace workloads for deploying workloads.

    $ kubectl create ns workloads
  2. Set up namespace by applying  registry-credentials and developer namespace configurations. Please find the details in the official documentation.

 

  1. Add read/write registry credentials to the developer namespace. Refer to step 1 in the documentation.

$ tanzu secret registry add registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --namespace workloads
  1. Add secrets, a service account to execute the supply chain, and RBAC rules to authorize the service account to the developer namespace (workloads namespace). Refer to step 2 in the documentation.
  1. Create client.yaml file.

apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
kind: ClientRegistration
metadata:
  name: appsso-starter-java
  namespace: workloads
spec:
  authServerSelector:
    matchLabels:
      name: authserver-sample
      env: dev
  clientAuthenticationMethod: basic
  authorizationGrantTypes:
    - authorization_code
  redirectURIs:
    - http://appsso-starter-java.workloads.apps.appssotest.cloudfocused.in/login/oauth2/code/appsso-starter-java
        # update this value with the ksvc url and claim name e.g. http://<app-url>/login/oauth2/code/<claim-name>
  scopes:
    - name: openid
  1. Apply the client registration.

$ kubectl apply -f client.yaml

 

  1. Verify the client registration status is Ready. Please ignore the warnings, if any.

$ kubectl get clientregistration appsso-starter-java --namespace workloads

 

  1. Create a service claim with client registration details. Please note that the claim name should match the end of the redirect-uri in the client registration. Refer client.yaml

$ tanzu services claims create appsso-starter-java \
    --namespace workloads \
    --resource-namespace workloads \
    --resource-name appsso-starter-java \
    --resource-kind ClientRegistration \
    --resource-api-version "sso.apps.tanzu.vmware.com/v1alpha1"
  1. Verify service claim status is Ready: True

$ tanzu services claims get appsso-starter-java --namespace workloads
  1. Create workload using sample appsso-starter-java.

$ tanzu apps workload create appsso-starter-java \
--namespace workloads \
--type web \
--label app.kubernetes.io/part-of=appsso-starter-java \
--service-ref "appsso-starter-java=services.apps.tanzu.vmware.com/v1alpha1:ResourceClaim:appsso-starter-java" \
--git-repo https://github.com/sample-accelerators/appsso-starter-java.git \
--git-branch main \
--live-update \
--yes
  1. Verify the workload is in Ready status.

$ tanzu apps workload get appsso-starter-java -n workloads
# appsso-starter-java: Ready
---
lastTransitionTime: "2022-08-05T07:52:21Z"
message: ""
reason: Ready
status: "True"
type: Ready

Services
CLAIM                 NAME                  KIND            API VERSION
appsso-starter-java   appsso-starter-java   ResourceClaim   services.apps.tanzu.vmware.com/v1alpha1

Pods
NAME                                                    STATUS      RESTARTS   AGE
appsso-starter-java-00001-deployment-65579799c6-zrxkz   Running     0          3m22s
appsso-starter-java-00002-deployment-7c4ddffd99-pkc8r   Running     0          3m21s
appsso-starter-java-build-1-build-pod                   Succeeded   0          6m27s
appsso-starter-java-config-writer-2kwrg-pod             Succeeded   0          4m13s

Knative Services
NAME                  READY   URL
appsso-starter-java   Ready   http://appsso-starter-java.workloads.apps.appssotest.cloudfocused.in
  1. Navigate to the Application URL, e.g. http://appsso-starter-java.workloads.apps.appssotest.cloudfocused.in/home
  2. Click on Login using App SSO button.

  1. Enter the test user credentials. Username: “ernie”, Password: “password”
  2. Verify the logged-in page is displayed.

Reference

  1. Official documentation: Application Single Sign-On for VMware Tanzu® (2.0.0) https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-app-sso-about.html

Filter Tags

Tanzu Tanzu Application Platform Document