Aim

The goal of this article is to add authentication to the Tekton dashboard installed on AWS EKS

If you only want to install the dashboard and keep it publicly accessible, take a look at my previous blog post on Expose EKS tekton pipeline dashboard with ssl enabled.

Photo by Iraj Ishtiak on Unsplash

Prerequisite

• EKS Pole
• Kubectl is configured on your local machine
• Tekton pipeline installation

Strategy

According to the Tekton Dashboard documentation:

The dashboard does not provide its own authentication or authorization, but it will forward any authentication headers provided to it by a proxy deployed in front of the dashboard.

For authentication, there are several options like oauth2-proxy, Keycloak, OpenUnison, Traefik, Istio’s EnvoyFilter. For this tutorial, we will use oauth2-proxy.

Workflow

— An oauth2 proxy service will be deployed

— This service will be exposed through the load balancer and the load balancer will be mapped to your domain, e.g. tekton-dashboard.myeks.com

— The upstream of the oauth-proxy service is the tekton-dashboard service.

— We will use AWS Cognito as OIDC provider for oauth2 proxy service, i.e. user will be authenticated via AWS Cognito.

— With the above configuration, when the end user will request the tekton dashboard (with e.g. tekton-dashboard.myeks.com) it will first reach the oauth2 proxy service.

— THE oauth2-proxy service will forward the request to AWS Cognito to verify if the user is authenticated.

— If authenticated, the user is logged in and can view the Tekton dashboard.

Step by step

Install Tekton Dashboard

— Install the Tekton Dashboard using official documentation

— Add a service to access the Tekton dashboard, for example. tekton-dashboard.yaml:

apiVersion: v1 
kind: Service 
metadata: 
  labels: 
    app: tekton-dashboard 
    app.kubernetes.io/component: dashboard 
    app.kubernetes.io/instance: default 
    app.kubernetes.io/name: dashboard 
    app.kubernetes.io/part-of: tekton-dashboard 
    app.kubernetes.io/version: v0.49.0 
    dashboard.tekton.dev/release: v0.49.0 
    version: v0.49.0 
  name: tekton-dashboard 
  namespace: tekton-pipelines 
spec: 
  ports: 
    - name: http 
      port: 9097 
      protocol: TCP 
      targetPort: 9097 
  selector: 
    app.kubernetes.io/component: dashboard 
    app.kubernetes.io/instance: default 
    app.kubernetes.io/name: dashboard 
    app.kubernetes.io/part-of: tekton-dashboard 
  sessionAffinity: None 

Note that this service has no type, so it is of type ClusterIP this means that it is only accessible internally inside the cluster, i.e. this service can be accessed using http://tekton-dashboard:9097.

Configure AWS Cognito

Create a user pool

Go to AWS Cognito Console and click on create user pool

Configure the login experience

Select the user name And email selected connection options.

Configure security requirements

Keep all settings as default, except set No MFA option to keep things simple

Configure the registration experience

For this section, keep the default options

Configure message delivery

To send a message, select select email with cognito.

Integrate your application

Give a name to a user pool, for example tekton-users and the application client name is tektonMake sure the app client is public and check the option Generate a client secretKeep all other settings at default.

Create a user pool

Create identity pools by going to AWS cognito and then the identity-pool console

Configure Identity Pool Trust

Check Authenticated Access And Amazon Cognito User Pool.

Configure permissions

Create a new role, for example named tekton-identity-role:

Connecting Identity Providers

Select your user pools, for example tekton-users and the customer (eg tekton) that you created in the previous steps. Set everything else to default

Configure properties

Put a name, for example. tekton-idpkeep everything else at their default values.

Review and Create

Review and create your identity pool

Create a user in your user pools

Access your user pools, for example tekton-usersthen click on users SO create user.

Enter your username and email and set a password:

We have now completed the AWS Cognito setup. Let’s move on to Oauth2 Proxy.

Installation and configuration of Oauth2-Proxy

What we need to do now is deploy the oauth2 proxy as k8s Deployementexpose this proxy application to the world by creating a service and map the service domain name.

Create a secret for the Tekton dashboard

$ kubectl create secret generic tekton-dashboard-auth \ 
-n tekton-pipelines \ 
--from-literal=username=CLIENT_ID \ 
--from-literal=password=CLIENT_SECRET 

You will get the CLIENT_ID and CLIENT_SECRET of your AWS User Pools that’s to say

• Go to Cognito User Pools and select your user pool (eg. tekton-user)
• Click on App Integration tongue
• Go to the App client list section
• Click on your customer
• On the app client information page you will find the Client ID And Client Secret.

Add the oauth2-proxy deployment

Before creating the deployment for oauth2-proxycheck the following values:

• upstream: This is the URL of the tekton-dashboard service. In our case, it will be http://tekton-dashboard:9097.
• redirect-url: The URL to which the OAuth proxy will be redirected. This will be your Tekton Dashboard callback URL, for example https://tkn-dashboard.myeks/oauth2/callback
• oidc-issuer-url: The oidc URL for your AWS Cognito User PoolsIt would be like: https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID. For example, if your region is eu-west-1 and your user pool ID is eu-west-1-1234then it will be: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234. You will find the user pool ID on your AWS Cognito user-pools overview page.
• cookie-secret:Generates a random string for the cookie secret. You can use openssl for this:

$ openssl rand -base64 32 | head -c 32 | base64 

To make things easier, I placed the deployment and service file in this eks-tekton github repository. Clone it and add the values ​​of the above parameters in the deployment manifest.

(Don’t apply it yet, we need to change the service too)

Expose oauth2 proxy service with LoadBalancer

Create a certificate

Create a certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.comAlso make sure to validate the certificate.

Add arn certificate to service

We need to add the following annotations to the service that needs the arn certificate, i.e.

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above" 
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" 

Replace the arn certificate, in your cloned github repository for the tekton-dashboard-auth service

Create the deployment and service

If you are at the root of the cloned and modified github repository according to the steps above, you can now apply it

$ kubectl apply -n tekton-pipelines -k tekton-dashboard-oidc 

This will create the deployment and corresponding services, and a load balancer will be created that points to the oauth2 proxy service.

Mapping the domain with Loadbalancer

Now, search for your LoadBalancer from the service:

$ kc get svc tekton-dashboard-auth -n tekton-pipelines 

You will get the URL of LoadBalancer at External-IP field.

• Using the URL, locate this LoadBalancer on the AWS console and verify that it exists in the listener. 443 port. For SSL certificate, check the certificate you set at Service has been attached to the load balancer.
• From AWS Route53, associate your domain name (eg. tekton-dashboard.myeks.com) with the LoadBalancer. If you are doing this for the first time, you can follow the documentation on routing AWS traffic to an ELB load balancer

That’s it, now you can browse the Tekton dashboard using your domain, for example https://tekton-dashboard.myeks.com and it will ask you login with AWS Cognito.

If you put the right one username And passwordyou will be on the Tekton Dashboard home page 🎉.

NB. The image attached to this article is not related to the content, it is simply attached to soothe your eyes 🙂

References:

https://medium.com/octo-technology-morocco/secure-authentication-to-tekton-dashboard-using-oidc-36de9b3f8a7d

https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https

https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html