In this article, we are going to learn how to enable authentication to your Tekton dashboard using OAuthProxy2 and GitHub. By default Tekton dashboard doesn't have any authentication. So we are going to add authentication to our Tekton dashboard. Let's get started.
A running ingress controller in your cluster
In here we are going to use Ngix Ingress Controller. If you don't have Ngix Ingress Controller in your cluster, you can follow this article to install Ngix Ingress Controller in your EKS Cluster
Firstly, we need to install Tekton in our cluster. To do that run below command.
You can verify the installed Tekton Dashboard pods by running below command:
kubectl get pods --namespace tekton-pipelines --watch
Now we need to move to the next step to expose Tekton Dashboard.
Create Ingress for Tekton Dashboard
Now we need to create an ingress for Tekton Dashboard. As I mentioned earlier, I am going to use Ngix Ingress Controller. So I am going to create an ingress for Tekton Dashboard using Ngix Ingress Controller. To do that, create a file called `tekton-dashboard-ingress.yaml` and add below content to that file.
In here I am using letsencrypt-prod as my cluster issuer and I am using subdomain called tekton-dashboard for Tekton Dashbaord. If you don’t have a cluster issuer and subdomain setup for your EKS Cluster, you can follow this article to configure them on your EKS Cluster.
Now you need to apply this manifest file to your cluster by running:
Now we need to create a GitHub OAuth App to authenticate our Tekton Dashboard. To do that, go to your GitHub account and go to Settings -> Developer Settings and click on New OAuth App. Now you need to enter below details to create your GitHub OAuth App.
Application Name - Name for your GitHub OAuth App
Homepage URL - Homepage URL for your GitHub OAuth App (In this case it will be https://oauth.yourdomain.com. You can use any subdomain you want and make sure to configure it in your domain provider. You need to map Nginx Ingress controller’s Load Balancer’s DNS to thsi sub-domain as a CNAME record. For more information about how to install Nginx Ingress Controller, you can refer this article)
Now you need to click on Register Application button to create your GitHub OAuth App. Now you will be able to see your Client ID and Client Secret. You need to copy those values and keep them in a safe place. We will need them in the next step.
Create Kubernetes Secret for GitHub OAuth App
Now we need to create a Kubernetes Secret for our GitHub OAuth App using Client ID and Client Secret which we had obtained from our previous step. To create Secret, you can run below command:
Now we need to install OAuthProxy2 in our EKS Cluster. We are going to use Helm to install OAuthProxy2 in our EKS Cluster with custom values file. First we need to create a file called `oauth2-proxy-values.yaml` and add below content to that file amd make sure to replace values iin this file with your own values.
config: existingSecret:oauth2-proxy-creds-github## This is the secret that we created in the previous step
extraArgs: whitelist-domain:.<yourdomian>## This is the domain that the proxy will allow to access the dashboard cookie-domain:.<yourdomian>## This is the domain that the proxy will allow to access the dashboard provider:github email-domain:'*'## Email domain that will be allowed to access the dashboard redirect-url:https://oauth.yourdomain.com/oauth2/callback## This is the domain that the proxy will redirect to after authentication upstream:"file:///dev/null" scope:user:email## This is the scope that the proxy will request from the provider cookie-expire:"1h"## This is the time that the cookie will expire cookie-refresh:"30m"## This is the time that the cookie will refresh ingress: enabled:true path:/ hosts: -oauth.yourdomain.com annotations: kubernetes.io/ingress.class:nginx cert-manager.io/cluster-issuer:letsencrypt-prod tls: -hosts: -oauth.yourdomain.com secretName:oauth-tls
Now we need to rub below commands to install OAuthProxy2 in our EKS Cluster with custom values:
Now we have finished with our OAuthProxy2 installation. Now we need to configure our Tekton Dashboard to use OAuthProxy2. To do that, we need to edit our existing Tekton Dashboard Ingress. To do that, you can run below command:
Now we have finished with our Tekton Dashboard configuration. Now you will be able to access your Tekton Dashboard UI on https://tekton-dashboard.yourdomain.com and you will be able to see that you need to authenticate with your GitHub account to access the Dashboard.
In this article, we learned how to enable authentication to your Tekton dashboard using OAuthProxy2 and GitHub. I hope you enjoyed this article. You can find the all the related commands for this tutorial from here. If you have any issue regarding this tutorial, mention your issue in the comment section or reach me through my E-mail.