Secure Authentication to Tekton Dashboard using OIDC
Tekton is winning a lot of fame as a powerful CI/CD cloud native tool, using it in local projects can be fun and does not require any sort of reinforcement. But, in advanced scenarios it can be inconvenient to have basic auth credentials to login to all tekton resources of your organization.
That’s why we thought of adding an Open ID Connect provider to our tekton dashboard service to have better control over people that can access our dashboard.
Requirements of this post:
- A General understanding of kubectl commands.
- A running instance of Kubernetes.
- A running ingress controller in your cluster.
If you don’t know what Tekton is or what OIDC is, check these links:
Welcome to Tekton
Tekton is a cloud-native solution for building CI/CD systems. It consists of Tekton Pipelines, which provides the…
What is OpenID Connect?
Why is an OpenID Connect certification important? The OpenID Connect certification and accompanying conformance…
The motivation behind this post is to share how to secure your Tekton dashboard since I’m a huge fan of open source technologies ( especially Kubernetes )
I’ll be going through the process step by step so that you find this article helpful regardless of your seniority level in Tekton ( I hope :) )
Warning: if you already have Tekton installed go to step 3 !
1- Install Tekton
Tekton can be installed via the official yaml manifest, run the following command
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
2- Install Tekton Dashboard
Tekton dashboard is installed separately with Tekton CRDs, you can install it by running the following command
kubectl apply --filename https://github.com/tektoncd/dashboard/releases/latest/download/tekton-dashboard-release.yaml
Now that you set up Tekton, you can check the installation by getting the pods running in ‘tekton-pipelines’ namespace. Wait until all the pods are in a running state.
3- Create Okta account
Okta is a cool OIDC provider, I used it for free to secure my Tekton dashboard. You can create an account in this link:
After creating your account, let’s start creating your first OIDC workflow.
4- Create web application in Okta
In the left side menu go to Applications -> Applications
- Click on ‘Create App Integration’
Select ‘OIDC’ as your Sign-in method and ‘Web application’ as your Application type.
- Click on next !
- Give your App integration a name
- in Sign-in redirect URI: add your Tekton Dashboard Url + /oauth2/callback
- in Sign-out redirect URI: add your Tekton Dashboard Url
- you can leave Trusted Origin block empty
- In Assignments, you can give access to anyone that authenticate successfully via Okta or Scope a specific group ( in case your have several groups of users in your Okta account and want to give access only to some group of users )
- Click Save !
Now that you have created your app integration successfully, you can see all your integration creds, let’s go to the next step.
5- Create Tekton dashboard OIDC manifest
Now that we created our Okta OIDC integration, let’s implement it with our Tekton dashboard.
- First we need the client ID and client secret as a kubernetes secret, let’s create them using the following kubectl command:
kubectl create secret generic tekton-dashboard-auth--from-literal=username=YOUR_CLIENT_ID --from-literal=password=YOUR_CLIENT_SECRET
You can find client ID and client Secret values in “Client Credentials” block:
The next steps are made easy for you, just clone the following manifest, and fill each value from the app credentials we just created together then apply it. I assume you have a running ingress-controller in your cluster ( like nginx ingress controller .. )
I assume you have VS code in this command, if not use your prefered IDE to edit the manifest.
Then edit the YAML file and change the following fields:
- — redirect-url : Add your Okta Sign-in redirect URIs.
- — oidc-issuer-url : Add your Okta Domain.
- — cookie-secret : Generate a base64 encoded from 16 digits and assign it to be used as cookie secret.
- - host: change the host with your tekton dashboard ingress url.
These values can be found in the same app integration page we were using.
Basically, this yaml file deploys an oauth2 proxy container image running as a pod in your kubernetes cluster, it is configured to be routed first when calling your dashboard URL endpoint then it will redirect you to your main dashboard UI, also we have an ingress to expose it to the outside world. If you already have an ingress for your dashboard, you will need to delete it and then apply the YAML manifest.
Finally apply the configuration manifest :
kubectl apply -f tekton-dashboard-oidc.yaml
HOORAAAY ! you just implemented OIDC to your tekton dashboard, now your login page will look like this:
That’s way cool than the basic authentication stuff 🙉
Next Step, is to send invitations from Okta to people whom you want to login into your dashboard, they will login with an email and password while you have control on their login to tekton dashboard, if someone shouldn’t access the dashboard anymore just remove them from Directory-> People.
Special Step: Invite users to your Tekton Dashboard
After setting up OIDC with your Tekton Dashboard, it’s now time to give people access to it.
Go to Directory-> People
- Start adding people from there by clicking on ‘+Add people’
You can either give them access immediately by checking ‘Send user activation email now’ or just add them and approve them later manually by letting that field unchecked by default.
In this article we discussed how basic-authentication of tekton dashboard can’t be enough, then we presented some tips to reinforce authentication to the dashboard via OpenID Connect, together we:
- Installed Tekton CRDs.
- Installed Tekton Dashboard.
- Create an Okta developer account.
- Create App integration.
- Create OIDC workflow.
- Implement OIDC with Tekton Dashboard.
- Add people who can access your Tekton Dashboard.
Thank you for reaching this far, I hope you had fun during this post, see you next ! be safe ❤