Search…
OIDC/LDAP/OpenShift authentication
This page describes how to setup Dex to authenticate via OIDC/LDAP for OpenShift

Introduction

TrilioVault For Kubernetes uses Dex IDP - A Federated OpenID Connect Provider as a portal to other identity providers through “connectors.
A “connector” is a strategy used by Dex for authenticating a user against another identity provider. Dex implements connectors that target specific platforms such as GitHub, LinkedIn, and Microsoft as well as established protocols like LDAP.

Pre-Requisites

TVK Callback URL: http(s)://<ingress-domain>/dex/callback
  1. 1.
    OIDC Provider: Configure your OIDC authentication provider to allow authentication for TVK Web. Create new application on authentication provider portal and use the above callback URL in the oidc provider portal and generate client & secret keys.
  1. 1.
    LDAP / AD: LDAP protocol requires one read-only user that can perform LDAP search to fetch users & groups.
  2. 2.
    OpenShift: By default, Openshift clusters will have Login Via Openshift configured during Triliovault installation, TVK doesn't require any user input for that.

Configuration

Step 1: Prepare a secret YAML file with the name triliovault-dexwith all the required details of the authentication provider. Refer to the format below and update the required values as needed:
1
apiVersion: v1
2
kind: Secret
3
metadata:
4
name: triliovault-dex
5
labels:
6
triliovault.trilio.io/secret: triliovault-dex
7
type: Opaque
8
stringData:
9
TVK_LINKEDIN_AUTH: |-
10
enabled: true
11
type: linkedin
12
id: linkedin
13
name: LinkedIn
14
config:
15
clientID: 786xxxxxxxxxx
16
clientSecret: 2myyyyyyyyyyy
17
redirectURI: http://<ingress-domain>/dex/callback
18
TVK_GITLAB_AUTH: |-
19
enabled: true
20
type: gitlab
21
id: gitlab
22
name: Gitlab
23
config:
24
clientID: xxxxxxxxxxxxxxxxxxxxxxxxxxx
25
clientSecret: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
26
redirectURI: http://<ingress-domain>/dex/callback
27
TVK_GOOGLE_AUTH: |-
28
enabled: true
29
type: google
30
id: google
31
name: Google
32
config:
33
clientID: xxxxx.apps.googleusercontent.com
34
clientSecret: yyyyyyyyyyyyyyyyyyyy
35
redirectURI: http://<ingress-domain>/dex/callback
36
TVK_GITHUB_AUTH: |-
37
enabled: true
38
type: github
39
id: github
40
name: GitHub
41
config:
42
clientID: xxxxxxxxxxxxxxxxxxxxx
43
clientSecret: yyyyyyyyyyyyyyyyyyyyyyyy
44
redirectURI: http://<ingress-domain>/dex/callback
45
TVK_OIDC_AUTH: |-
46
enabled: true
47
type: oidc
48
id: azure
49
name: azure
50
config:
51
insecureSkipEmailVerified: true
52
issuer: https://<login-endpoint>
53
clientID: xxxxxxxxxxxxx
54
clientSecret: yyyyyyyyyyyyyyyyyyyyyy
55
redirectURI: http://<ingress-domain>/dex/callback
56
TVK_LDAP_AUTH: |-
57
enabled: true
58
type: ldap
59
id: ldap
60
name: "LDAP"
61
config:
62
host: <ldap-host>
63
startTLS: false
64
insecureNoSSL: true
65
insecureSkipVerify: true
66
bindDN: "cn=admin,dc=trilio,dc=io"
67
bindPW: <read-only-user-pass>
68
usernamePrompt: "Username"
69
userSearch:
70
baseDN: "dc=trilio,dc=io"
71
filter: ""
72
username: cn
73
idAttr: cn
74
emailAttr: cn
75
nameAttr: cn
76
groupSearch:
77
baseDN: "dc=trilio,dc=io"
78
filter: ""
79
userAttr: cn
80
groupAttr: cn
81
nameAttr: cn
82
TVK_OPENSHIFT_AUTH: |-
83
enabled: true
84
type: openshift
85
id: openshift
86
name: OpenShift
87
config:
88
issuer: <OCP-api-url>
89
clientID: system:serviceaccount:openshift-operators:<serviceaccount>
90
clientSecret: yyyyyyyyyyyyyyyyy
91
redirectURI: http://<ingress-domain>/dex/callback
92
insecureCA: true
Copied!
Step 2: Update the referred secret.yaml and remove the section which is not required, for example, if you just want to configure Github as an Authentication Provider, keep the section of TVK_GITHUB_AUTH and remove the other sections
Note: For OIDC providers that are not part of the secret use TVK_OIDC_AUTH
1
apiVersion: v1
2
kind: Secret
3
metadata:
4
name: triliovault-dex
5
namespace: <tvk-install-namespace>
6
labels:
7
triliovault.trilio.io/secret: triliovault-dex
8
type: Opaque
9
stringData:
10
TVK_GITHUB_AUTH: |-
11
enabled: true
12
type: github
13
id: github
14
name: GitHub
15
config:
16
clientID: xxxxxxxxxxxxxxxxxxxxx
17
clientSecret: yyyyyyyyyyyyyyyyyyyyyyyy
18
redirectURI: http://<ingress-domain>/dex/callback
Copied!
Step 3: Apply this secret.yaml in the namespace of the k8s cluster where TVK is installed and this will lead to the creation of the TVK dex deployment which will reflect changes on TVK web UI, where you can find another way of login, i.e. Login Via Github
1
kubectl apply -f secret.yaml -n <tvk-namespace>
Copied!
Step 4: The GitHub sign-in option will appear on the UI console.
Trilio Authenticaton - GitHub

Additional Steps if using Port Forwarding or NodePort

Update the secret with an additional key TVK_URL to provide your custom URL with port to access TVK dashboard.
1
apiVersion: v1
2
kind: Secret
3
metadata:
4
name: triliovault-dex
5
namespace: <tvk-install-namespace>
6
labels:
7
triliovault.trilio.io/secret: triliovault-dex
8
type: Opaque
9
stringData:
10
TVK_URL: http://<ingress-domain>:1234
11
TVK_GITHUB_AUTH: |-
12
enabled: true
13
type: github
14
id: github
15
name: GitHub
16
config:
17
clientID: xxxxxxxxxxxxxxxxxxxxx
18
clientSecret: yyyyyyyyyyyyyyyyyyyyyyyy
19
redirectURI: http://<ingress-domain>:1234/dex/callback
Copied!
That's it!
Last modified 3d ago