Once the VMware Tanzu™ Kubernetes Grid™ cluster has been configured to work with Pinniped and the OIDC provider, the next step is to configure Kubeapps. This involves a number of tasks, including making Kubeapps proxy requests to Pinniped, enabling the OIDC login and, optionally, configuring the look and feel of the Kubeapps user interface.
Kubeapps is currently officially delivered as a Helm chart packaged by Bitnami. This Helm Chart offers a large number of configuration options in its values.yaml
file. A general overview of the key configuration parameters for a TKG cluster is shown below:
## Values likely to be modified
### Authentication-related parameters
clusters: # List of clusters that Kubeapps can target
authProxy: # Oauth2proxy configuration for setting up OIDC login
pinnipedProxy: # Pinniped-proxy configuration
### Look-and-feel-related parameters
dashboard: # Dashboard configuration
customStyle: # Custom css to inject
customComponents: # Custom components to inject
customLocale: # Custom strings to inject
apprepository: # Apprepository controller configuration
initialRepos: # Initial repositories to fetch
TIP: Refer to the Bitnami Kubeapps Helm chart documentation for more information.
The two main configuration areas are authentication and user interface.
Key authentication parameters are:
clusters
to define the list of clusters that Kubeapps can target and which of them will use Pinniped;pinnipedProxy
to enable the Pinniped Proxy component;authProxy
: to define the flags used by OAuth2 Proxy, the component for performing the actual OIDC login.
Key user interface parameters are:
dashboard.customStyle
for injecting custom CSS;dashboard.customLocale
for customizing some supported strings;apprepository.initialRepos
for defining the repositories included by default during the installation.
TIP: These values can be entered in two different ways:
- As values passed via command line:
helm install kubeapps --namespace kubeapps --set ingress.enabled=true bitnami/kubeapps
- As values stored in a custom
values.yaml
file read in during chart deployment:helm install kubeapps --namespace kubeapps -f custom-values.yaml bitnami/kubeapps
The first step is to configure the clusters
, pinnipedProxy
and authProxy
parameters to reflect the work done in Step 1. These parameters are discussed below:
-
Declare that the target cluster is using Pinniped by setting the parameter
pinnipedConfig.enabled=true
. If using multiple target clusters, please refer to the Deploying to Multiple Clusters guide. Here is an example:TIP: Since the target cluster is the same as the cluster on which Kubeapps is installed, there is no need to set a URL. Note that the
name
field is used only to configure a display name in the Kubeapps dashboard.clusters: - name: my-tkg-cluster pinnipedConfig: enabled: true
-
Enable the Pinniped Proxy component so that the requests performed by Kubeapps can be proxied through Pinniped, by setting the parameter
pinnipedProxy.enabled=true
. Here is an example:pinnipedProxy: enabled: true defaultAuthenticatorName: kubeapps-jwt-authenticator # this name must match the authenticator name previously created
TIP: The
defaultAuthenticatorName
must match the JWTAuthenticator resource name created in Step 1.NOTE: Just if you are using the Pinniped version provided by TMC (instead of the one already provided by TKG), you also need to point to its namespace and API group suffix as follows. You can read more about it in the chart documentation.
pinnipedProxy: # other options defaultPinnipedNamespace: vmware-system-tmc defaultPinnipedAPISuffix: pinniped.tmc.cloud.vmware.com
-
Configure the OAuth2Proxy component by entering the information gathered from the OIDC provider in Step 1. This component performs the authentication flow, generating the appropriate request to the login page and retrieving the token in the callback URL. Here is an example. Remember to replace the placeholders as follows:
- Replace
CLIENT-ID
with the application ID obtained from the JSON file in the previous step. - Replace
CLIENT-SECRET
with the application secret obtained from the JSON file in the previous step. - Replace
COOKIE-SECRET
with a seed string for secure cookies (should be a 16-, 24-, or 32-byte string). Have a look at the OAuth2Proxy documentation for additional information. - Replace the
OIDC-ISSUER-URL
with the issuer URL of the OIDC provider. For CSP it ishttps://gaz.csp-vidm-prod.com
. - Replace the
OIDC-LOGIN-URL
with the login URL of the OIDC provider. For CSP it ishttps://console.cloud.vmware.com/csp/gateway/discovery
. - Replace the
OIDC-REDEEM-URL
with the token redeem URL of the OIDC provider. For CSP it ishttps://console.cloud.vmware.com/csp/gateway/am/api/auth/token
. - Replace the
OIDC-JWKS-URL
with the JSON Web Key Set URL of the OIDC provider. For CSP it ishttps://console.cloud.vmware.com/csp/gateway/am/api/auth/token-public-key?format=jwks
.
- Replace
TIP: Remember that any OIDC-compliant provider should expose a
.well-known/openid-configuration
(CSP example) where you will able to find the required endpoints in this step.
authProxy:
enabled: true
provider: oidc
clientID: CLIENT-ID
clientSecret: CLIENT-SECRET
cookieSecret: COOKIE-SECRET
additionalFlags:
- --skip-oidc-discovery=true
- --oidc-issuer-url=OIDC-ISSUER-URL # In CSP: https://gaz.csp-vidm-prod.com
- --login-url=OIDC-LOGIN-URL # In CSP: https://console.cloud.vmware.com/csp/gateway/discovery
- --redeem-url=OIDC-REDEEM-URL # In CSP: https://console.cloud.vmware.com/csp/gateway/am/api/auth/token
- --oidc-jwks-url=OIDC-JWKS-URL # In CSP: https://console.cloud.vmware.com/csp/gateway/am/api/auth/token-public-key?format=jwks
TIP: In some providers whose issuer URL does match the token URL, the flag
--skip-oidc-discovery=true
can be removed. Instead, just setting the--oidc-issuer-url
flag will perform the automatic discovery of the rest of the endpoints. Further information at the official OAuth2Proxy documentation.
At this point, Kubeapps is configured to use Pinniped for authentication.
The next step is to provide a rich user experience, aligned with corporate branding policies. This is achieved by configuring the dashboard
and apprepository
parameters. These parameters are discussed below:
-
Customize the interface strings and CSS rules with the
dashboard.customLocale
anddashboard.customStyle
parameters. A simple example is to change the displayed application name (Kubeapps
) and replace it with a different name, the corporate name/brand (VMware Tanzu™ Kubeapps
). To do this, just set thedashboard.customLocale
parameters to the custom strings. Here is an example of replacingKubeapps
withVMware Tanzu™ Kubeapps
:dashboard: customLocale: Kubeapps: VMware Tanzu™ Kubeapps login-desc-oidc: Access to the VMware Tanzu™ Kubeapps using your My VMware account. login-oidc: Login via VMware Cloud Services
TIP: See the complete list of customizable strings.
In a similar manner, add custom style rules using custom CSS selectors. For example, to change the Kubeapps logo, set the selector
.kubeapps-logo
to the propertybackground-image: url('data:image/png;base64...')
as shown in the example below. The long string shown is the Base64-encoded data for the new logo image.dashboard: customStyle: |- .kubeapps-logo { background-image: url('') !important; width: 21.6em !important; height: 4.2em !important; }
This image depicts a customized version of Kubeapps applying the above styles and strings:
-
Customize the initial application repositories by setting the
apprepository
parameter. Here is a simple example of adding the Bitnami open source catalog:apprepository: initialRepos: - name: bitnami url: https://charts.bitnami.com/bitnami
At this point, Kubeapps is configured to use a custom interface.
With the configuration out of the way, it's time to install Kubeapps. Since Kubeapps is currently officially delivered as a Helm chart packaged by Bitnami, the easiest way to install Kubeapps is to add the Bitnami repository to Helm and install it via Helm.
In case Kubeapps is to be installed in an air-gapped environment, please follow the offline installation instructions instead.
TIP: Typically, the Kubeapps dashboard is set as externally accessible, either by setting the parameter
frontend.service.type=LoadBalancer
(as shown below) or by using an Ingress controller. Please refer to the Kubeapps documentation covering external access for additional information.frontend: service: type: LoadBalancer
Use the commands below to install Kubeapps. The final command assumes that the Kubeapps chart configuration parameters are defined in a file named custom-values.yaml
, so ensure this file exists before executing that command.
# Install the Bitnami helm repository
helm repo add bitnami https://charts.bitnami.com/bitnami
# Create a 'kubeapps' namespace in our cluster
kubectl create namespace kubeapps
# Install a 'kubeapps' release in the 'kubeapps' namespace with the values defined at 'custom-values.yaml'
helm install kubeapps --namespace kubeapps bitnami/kubeapps -f custom-values.yaml
Finally, remember to replace the placeholder Redirect URIs you entered when creating the OAuth2 application during step 1 with the actual value.
For instance, assuming Kubeapps is accessible at https://kubeapps.example.com
replace https://localhost/oauth2/callback
with https://kubeapps.example.com/oauth2/callback
.
TIP: If you are serving Kubeapps from a subpath, for instance,
https://example.com/kubeapps
, you will need to slightly modify theauthProxy
configuration. Please follow these instructions for further details.
At this point, Kubeapps is installed in the cluster and the OIDC provider is fully configured.
Once Kubeapps is installed, the next step is to configure access. Since Kubeapps delegates authorization to the existing Role-Based Access Control (RBAC) configured in the cluster, every permission should be granted using ClusterRoleBinding
and RoleBinding
objects. Please refer to the official documentation about Kubeapps access control for more information.
NOTE: RBAC configuration depends on your custom business requirements. The configuration shown below is only an example and not meant for production use. Please refer to the official Kubernetes RBAC documentation for more details.
The configuration shown below demonstrates how to create a ClusterRoleBinding
named kubeapps-operator
with the cluster-admin
role for a specified user. Replace the EMAIL-ADDRESS
placeholder with the email address for the user, as specified in the OIDC provider and name the file kubeapps-rbac.yaml
.
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubeapps-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: EMAIL-ADDRESS
Apply this configuration by executing the following command:
kubectl apply -f kubeapps-rbac.yaml
At this point, the user having EMAIL-ADDRESS
email account will have cluster-admin
access and will be able to perform any desired action via the kubectl
CLI or the Kubeapps dashboard.
Once Kubeapps is installed and configured, the next step is to log in and access the Kubeapps Web dashboard. The procedure to do this depends on how Kubeapps was configured.
-
If the service was exposed externally, it may be accessed using a public IP address; if not, it can be accessed locally by forwarding the cluster port using the command below:
kubectl port-forward -n kubeapps svc/kubeapps 8080:80
This will start an HTTP proxy for secure access to the Kubeapps dashboard.
-
Browse to http://127.0.0.1:8080 (when forwarding the port) or to the public IP address of the serevice (when exposing the service externally). You see the Kubeapps login page, as shown below:
-
Click the Login button. You are redirected to the OIDC provider (in this example, the VMware Cloud Services Portal).
-
Enter the necessary credentials. If the login is successful, you are redirected to the Kubeapps dashboard:
At the end of this step, the Kubeapps installation is configured, customized and running in the cluster. The next step is to add application repositories to Kubeapps.