In this article, we are going to learn how to enable authentication to your Tekton dashboard using OAuthProxy2 and GitHub. By default Tekton dashboard doesn't have any authentication. So we are going to add authentication to our Tekton dashboard. Let's get started.

Prerequisite

  • A running ingress controller in your cluster
    • In here we are going to use Ngix Ingress Controller. If you don't have Ngix Ingress Controller in your cluster, you can follow this article to install Ngix Ingress Controller in your EKS Cluster
  • GitHub account

    • Install Tekton

    Firstly, we need to install Tekton in our cluster. To do that run below command.

    1
    kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
    • For more information about Tekton Dashboard installation, you can refer this documentation.

    You can verify the installed Tekton pods by running below command:

    1
    kubectl get pods --namespace tekton-pipelines --watch

    When all the pods are in Running state, you can stop the above command by pressing Ctrl + C and move to the next step to install Tekton Dashboard.

    Install Tekton Dashboard

    Now we can install Tekton Dashboard by running below command,

    1
    kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml

    You can verify the installed Tekton Dashboard pods by running below command:

    1
    kubectl get pods --namespace tekton-pipelines --watch

    Now we need to move to the next step to expose Tekton Dashboard.

    Create Ingress for Tekton Dashboard

    Now we need to create an ingress for Tekton Dashboard. As I mentioned earlier, I am going to use Ngix Ingress Controller. So I am going to create an ingress for Tekton Dashboard using Ngix Ingress Controller. To do that, create a file called `tekton-dashboard-ingress.yaml` and add below content to that file.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: tekton-dashboard-alb-ingress
      namespace: tekton-pipelines
      annotations:
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: letsencrypt-prod
    spec:
      rules:
      - host: tekton-dashboard.yourdomain.com
        http:
          paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: tekton-dashboard
                  port:
                    number: 9097
      tls:
        - hosts:
            - tekton-dashboard.yourdomain.com
          secretName: tekton-dashboard-tls

    In here I am using letsencrypt-prod as my cluster issuer and I am using subdomain called tekton-dashboard for Tekton Dashbaord. If you don’t have a cluster issuer and subdomain setup for your EKS Cluster, you can follow this article to configure them on your EKS Cluster.

    Now you need to apply this manifest file to your cluster by running:

    1
    kubectl apply -f tekton-dashboard-ingress.yaml

    Now you will be able to see you Tekton Dashboard UI on https://tekton-dashboard.yourdomain.com and you can see that everyone can access to our Dashboard without any authentication.

    Create GitHub OAuth App

    Now we need to create a GitHub OAuth App to authenticate our Tekton Dashboard. To do that, go to your GitHub account and go to Settings -> Developer Settings and click on New OAuth App. Now you need to enter below details to create your GitHub OAuth App.
    • Application Name - Name for your GitHub OAuth App
    • Homepage URL - Homepage URL for your GitHub OAuth App (In this case it will be https://oauth.yourdomain.com. You can use any subdomain you want and make sure to configure it in your domain provider. You need to map Nginx Ingress controller’s Load Balancer’s DNS to thsi sub-domain as a CNAME record. For more information about how to install Nginx Ingress Controller, you can refer this article)
    • Authorization callback URL - https://oauth.yourdomain.com/oauth2/callback.

    Now you need to click on Register Application button to create your GitHub OAuth App. Now you will be able to see your Client ID and Client Secret. You need to copy those values and keep them in a safe place. We will need them in the next step.

    Create Kubernetes Secret for GitHub OAuth App

    Now we need to create a Kubernetes Secret for our GitHub OAuth App using Client ID and Client Secret which we had obtained from our previous step. To create Secret, you can run below command:

    1
    kubectl create ns oauth-proxy
    1
    kubectl create secret generic oauth2-proxy-creds-github --from-literal=client-id=<github-client-id> --from-literal=client-secret=<github-client-secret>  --from-literal=cookie-secret=<cookie-secret> -n oauth-proxy

    Install OAuthProxy2

    Now we need to install OAuthProxy2 in our EKS Cluster. We are going to use Helm to install OAuthProxy2 in our EKS Cluster with custom values file. First we need to create a file called `oauth2-proxy-values.yaml` and add below content to that file amd make sure to replace values iin this file with your own values.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    config:
      existingSecret: oauth2-proxy-creds-github ## This is the secret that we created in the previous step

    extraArgs:
      whitelist-domain: .<your domian> ## This is the domain that the proxy will allow to access the dashboard
      cookie-domain: .<your domian> ## This is the domain that the proxy will allow to access the dashboard
      provider: github
      email-domain: '*' ## Email domain that will be allowed to access the dashboard
      redirect-url: https://oauth.yourdomain.com/oauth2/callback ## This is the domain that the proxy will redirect to after authentication
      upstream: "file:///dev/null"
      scope: user:email ## This is the scope that the proxy will request from the provider
      cookie-expire: "1h" ## This is the time that the cookie will expire
      cookie-refresh: "30m" ## This is the time that the cookie will refresh
      
    ingress:
      enabled: true
      path: /
      hosts:
        - oauth.yourdomain.com
      annotations:
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: letsencrypt-prod
      tls:
        - hosts:
            - oauth.yourdomain.com
          secretName: oauth-tls

    Now we need to rub below commands to install OAuthProxy2 in our EKS Cluster with custom values:

    1
    2
    3
    4
    5
    helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests

    helm repo update

    helm install oauth2-proxy oauth2-proxy/oauth2-proxy --namespace oauth-proxy --values oauth-proxy-values.yaml

    Configure Tekton Dashboard to use OAuthProxy2

    Now we have finished with our OAuthProxy2 installation. Now we need to configure our Tekton Dashboard to use OAuthProxy2. To do that, we need to edit our existing Tekton Dashboard Ingress. To do that, you can run below command:

    1
    kubectl edit ingress kton-dashboard-ingress.yaml -n tekton-pipelines

    Now you need to add below annotations and PathType to your Tekton Dashboard Ingress:

    1
    2
    3
    4
    5
    annotations:
        nginx.ingress.kubernetes.io/auth-url: https://oauth.yourdomain.com/oauth2/auth 
        nginx.ingress.kubernetes.io/auth-signin: https://oauth.yourdomain.com/oauth2/start

    pathType: ImplementationSpecific

    Your final Tekton Dashboard Ingress should look like below:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: tekton-dashboard-alb-ingress
      namespace: tekton-pipelines
      annotations:
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: letsencrypt-prod
        nginx.ingress.kubernetes.io/auth-url: https://oauth.yourdomain.com/oauth2/auth ## Newely added annotation
        nginx.ingress.kubernetes.io/auth-signin: https://oauth.yourdomain.com/oauth2/start ## Newely added annotation
    spec:
      rules:
      - host: tekton-dashboard.yourdomain.com
        http:
          paths:
            - path: /
              pathType: ImplementationSpecific ## Newely added PathType
              backend:
                service:
                  name: tekton-dashboard
                  port:
                    number: 9097
      tls:
        - hosts:
            - tekton-dashboard.yourdomain.com
          secretName: tekton-dashboard-tls

    Now we have finished with our Tekton Dashboard configuration. Now you will be able to access your Tekton Dashboard UI on https://tekton-dashboard.yourdomain.com and you will be able to see that you need to authenticate with your GitHub account to access the Dashboard.

    Conclusion

    In this article, we learned how to enable authentication to your Tekton dashboard using OAuthProxy2 and GitHub. I hope you enjoyed this article. You can find the all the related commands for this tutorial from here. If you have any issue regarding this tutorial, mention your issue in the comment section or reach me through my E-mail.

    Happy Coding