Make Tekton Dashboard user authenticated at EKS using AWS Cognito

Md Asraful Haque (Sohel) - Aug 22 - - Dev Community

Goal

The goal of this post is to add authentication to Tekton Dashboard installed at AWS EKS
If you are only interested to install the Dashboard and keep it publicly accessible, have a look at my previous blog post on Expose EKS tekton pipeline dashboard with ssl enabled.

Image description

Photo by Iraj Ishtiak on Unsplash

Pre-Requisite

  • EKS Cluster
  • Kubectl is configured at your local machine
  • Tekton pipeline is installed

Strategy

As per the Tekton Dashboard documentation:

The Dashboard does not provide its own authentication or authorization, however it will pass on any authentication headers provided to it by a proxy deployed in front of the Dashboard.

For authentication, there are several options like oauth2-proxy, Keycloak, OpenUnison, Traefik, Istio’s EnvoyFilter. For this tutorial we will use oauth2-proxy.

Workflows

-- There will be a oauth2-proxy service deployed
-- This service will be exposed via the loadbalancer and the loadbalancer will be mapped against the your domain eg tekton-dashboard.myeks.com
-- The upstream of the oauth-proxy service is the tekton-dashboard service.
-- We will use AWS Cognito as the OIDC provider for oauth2-proxy service ie user will be authenticated via AWS Cognito.
-- With the above setup, when the end user will request for the tekton-dashboard (with eg tekton-dashboard.myeks.com) it will first hit the oauth2 proxy service.
-- The oauth2-proxy service will forward the request to AWS Cognito to check if the user is authenticated.
-- If authenticated, the user is logged in and can see the tekton-dashboard.

Step By Step

Install Tekton Dashboard

-- Install the Tekton Dashboard using the official documentation
-- Add a Service to access the Tekton Dashboard eg. tekton-dashboard.yaml:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: tekton-dashboard
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
    app.kubernetes.io/version: v0.49.0
    dashboard.tekton.dev/release: v0.49.0
    version: v0.49.0
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  ports:
    - name: http
      port: 9097
      protocol: TCP
      targetPort: 9097
  selector:
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
  sessionAffinity: None
Enter fullscreen mode Exit fullscreen mode

Note that this service doesn't have a type so, its of type ClusterIP that means only accessible internally inside the cluster ie this service can be accessed using http://tekton-dashboard:9097.

Setup AWS Cognito

Follow the steps from this blog post on how to setup AWS Cognito for this app

Now We are done with setting up AWS Cognito. Lets move to Oauth2 Proxy.
Get CLIENT_ID, CLIENT_SECRET and oidc-issuer-url from aws cognito to be used in later steps.

Installing and Configuring Oauth2-Proxy

What we have to do now deploy the oauth2 proxy as k8s Deployement, expose that proxy app to the world by creating a service and map the domain name for the service.

Create Tekton Dashboard secret

$ kubectl create secret generic tekton-dashboard-auth \
-n tekton-pipelines \
--from-literal=username=CLIENT_ID \
--from-literal=password=CLIENT_SECRET
Enter fullscreen mode Exit fullscreen mode

You will get the CLIENT_ID and CLIENT_SECRET from your AWS User Pools (see the steps at AWS Cognito post

Add the oauth2-proxy Deployment

Before creating the deployment for oauth2-proxy, check the following values:

  • upstream: This is the url of the tekton-dashboard service. In our case it will be http://tekton-dashboard:9097.
  • redirect-url: The url where the oauth-proxy will be redirected. it will be you tekton-dashboard callback url eg. https://tkn-dashboard.myeks/oauth2/callback
  • oidc-issuer-url: The oidc url for your AWS Cognito User Pools, It would be like : https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID. For example if your region is eu-west-1 and your user-pool id is eu-west-1-1234, then it will be: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234. You will find the user-pool id at your AWS Cognito user-pools overview page.
  • cookie-secret: Generate some random string for cookie secret. you can use openssl for that:
$ openssl rand -base64 32 | head -c 32 | base64
Enter fullscreen mode Exit fullscreen mode

To make things easier, I have put the deployment and service file at this eks-tekton github repository. Clone it and add the values of above params at the Deployment manifest.
(Don't apply it yet, we have to change the service as well)

Exposing the oauth2-proxy service with LoadBalancer

Create Certificate

Create Certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.com. Make sure you also validate the certificate.

Add certificate arn at the service

We need to add the following annotations at the service which needs the certificate arn, ie

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
Enter fullscreen mode Exit fullscreen mode

Replace the certificate arn, at your cloned github repository for the tekton-dashboard-auth service

Create the deployment and service

If you are at the root of the cloned github repo and modified as per above steps, now you can apply it

$ kubectl apply -n tekton-pipelines -k tekton-dashboard-oidc
Enter fullscreen mode Exit fullscreen mode

This will create the deployment and corresponding services, and there will be a loadbalancer created which points to the oauth2-proxy service.

Map the domain with Loadbalancer

Now, Find your LoadBalancer from the service:

$ kc get svc tekton-dashboard-auth -n tekton-pipelines
Enter fullscreen mode Exit fullscreen mode

You will get the LoadBalancer URl at the External-IP field.

  • With the URL, Locate that LoadBalancer at AWS Console and check at the Listener there is 443 port. For the SSL certificate check the certificate you defined at the Service has been attached at the loadbalancer.
  • From AWS Route53, Associate your domain name (eg. tekton-dashboard.myeks.com) with the LoadBalancer. If you are doing it for the first time, you can follow the AWS Routing traffic to an ELB load balancer documentation

That's it now you can browse the tekton dashboard using your domain eg. https://tekton-dashboard.myeks.com and it ask you login with AWS Cognito.
If you put the correct username and password, you will be on the Tekton Dashboard homepage 🎉.

NB. The picture attached at this post not related to content, its just attached to soothe your eyes :)

References:
https://medium.com/octo-technology-morocco/secure-authentication-to-tekton-dashboard-using-oidc-36de9b3f8a7d
https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html

. . . .