Secure Authentication to Tekton Dashboard using OIDC

Tekton is winning a lot of fame as a powerful CI/CD cloud native tool, using it in local projects can be fun and does not require any sort of reinforcement. But, in advanced scenarios it can be inconvenient to have basic auth credentials to login to all tekton resources of your organization.

That’s why we thought of adding an Open ID Connect provider to our tekton dashboard service to have better control over people that can access our dashboard.

Requirements of this post:

  • A General understanding of kubectl commands.
  • A running instance of Kubernetes.
  • A running ingress controller in your cluster.

If you don’t know what Tekton is or what OIDC is, check these links:

The motivation behind this post is to share how to secure your Tekton dashboard since I’m a huge fan of open source technologies ( especially Kubernetes )

I’ll be going through the process step by step so that you find this article helpful regardless of your seniority level in Tekton ( I hope :) )

Warning: if you already have Tekton installed go to step 3 !

1- Install Tekton

Tekton can be installed via the official yaml manifest, run the following command

kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

2- Install Tekton Dashboard

Tekton dashboard is installed separately with Tekton CRDs, you can install it by running the following command

kubectl apply --filename https://github.com/tektoncd/dashboard/releases/latest/download/tekton-dashboard-release.yaml

Now that you set up Tekton, you can check the installation by getting the pods running in ‘tekton-pipelines’ namespace. Wait until all the pods are in a running state.

3- Create Okta account

Okta is a cool OIDC provider, I used it for free to secure my Tekton dashboard. You can create an account in this link:
https://www.okta.com/developer/signup

After creating your account, let’s start creating your first OIDC workflow.

4- Create web application in Okta

In the left side menu go to Applications -> Applications

Okta Navigation Menu
  • Click on ‘Create App Integration’
Applications section in Okta

Select ‘OIDC’ as your Sign-in method and ‘Web application’ as your Application type.

  • Click on next !
  • Give your App integration a name
  • in Sign-in redirect URI: add your Tekton Dashboard Url + /oauth2/callback
  • in Sign-out redirect URI: add your Tekton Dashboard Url
First step of Web App Integration
  • you can leave Trusted Origin block empty
  • In Assignments, you can give access to anyone that authenticate successfully via Okta or Scope a specific group ( in case your have several groups of users in your Okta account and want to give access only to some group of users )
Second Step of Web App Integration
  • Click Save !

Now that you have created your app integration successfully, you can see all your integration creds, let’s go to the next step.

5- Create Tekton dashboard OIDC manifest

Now that we created our Okta OIDC integration, let’s implement it with our Tekton dashboard.

  • First we need the client ID and client secret as a kubernetes secret, let’s create them using the following kubectl command:
kubectl create secret generic tekton-dashboard-auth--from-literal=username=YOUR_CLIENT_ID --from-literal=password=YOUR_CLIENT_SECRET

You can find client ID and client Secret values in “Client Credentials” block:

Client Credentials

The next steps are made easy for you, just clone the following manifest, and fill each value from the app credentials we just created together then apply it. I assume you have a running ingress-controller in your cluster ( like nginx ingress controller .. )

git clone https://gitlab.com/guourch.otmane/tekton-dashboard-oidc.git

I assume you have VS code in this command, if not use your prefered IDE to edit the manifest.

code ./tekton-dashboard-oidc/

Then edit the YAML file and change the following fields:

  • — redirect-url : Add your Okta Sign-in redirect URIs.
  • — oidc-issuer-url : Add your Okta Domain.
  • — cookie-secret : Generate a base64 encoded from 16 digits and assign it to be used as cookie secret.
  • - host: change the host with your tekton dashboard ingress url.

These values can be found in the same app integration page we were using.

Basically, this yaml file deploys an oauth2 proxy container image running as a pod in your kubernetes cluster, it is configured to be routed first when calling your dashboard URL endpoint then it will redirect you to your main dashboard UI, also we have an ingress to expose it to the outside world. If you already have an ingress for your dashboard, you will need to delete it and then apply the YAML manifest.

Finally apply the configuration manifest :

kubectl apply -f tekton-dashboard-oidc.yaml

HOORAAAY ! you just implemented OIDC to your tekton dashboard, now your login page will look like this:

That’s way cool than the basic authentication stuff 🙉

Next Step, is to send invitations from Okta to people whom you want to login into your dashboard, they will login with an email and password while you have control on their login to tekton dashboard, if someone shouldn’t access the dashboard anymore just remove them from Directory-> People.

Special Step: Invite users to your Tekton Dashboard

After setting up OIDC with your Tekton Dashboard, it’s now time to give people access to it.

Go to Directory-> People

Directory menu
  • Start adding people from there by clicking on ‘+Add people’

You can either give them access immediately by checking ‘Send user activation email now’ or just add them and approve them later manually by letting that field unchecked by default.

TL;DR

In this article we discussed how basic-authentication of tekton dashboard can’t be enough, then we presented some tips to reinforce authentication to the dashboard via OpenID Connect, together we:

  • Installed Tekton CRDs.
  • Installed Tekton Dashboard.
  • Create an Okta developer account.
  • Create App integration.
  • Create OIDC workflow.
  • Implement OIDC with Tekton Dashboard.
  • Add people who can access your Tekton Dashboard.

Thank you for reaching this far, I hope you had fun during this post, see you next ! be safe ❤

--

--

--

Follow the life of OCTO Technology Morocco through the eyes of its consultants

Recommended from Medium

Dev Update #4

How to deploy pyspark model using Flask

Announcing General Availability of YAML CD features in Azure Pipelines

Introduction to Communication management in AUTOSAR Adaptive platform

Will These Cloud Service Gotchas Doom Your App?

Thunder Client

Beginning Swift Programming Part 13 — Generics

How does your team communicate bad news?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Otmane Guourch

Otmane Guourch

A huge fan of kubernetes and cloud native tools.

More from Medium

Multiple Cloud Full-Stack delivery

OpenMLDB-based Paper Published in VLDB 2021: Optimizing In-memory Database Engine for AI-powered…

Creating And Using a Terraform module

Benchmarking fluent-bit with Clickhouse