👨🏻‍🏭 🧒 💉 Authentication in Kubernetes with Dex: fasten LDAP 🍗 👚 🍃

Today I will go over the details of configuring authentication in Kubernetes using Dex in conjunction with LDAP, and also show how you can add static users to Dex.

In this article I will not dwell on the basic principles of Dex, but immediately proceed to install and configure LDAP. You can get acquainted with the principles of Dex in this article .

What do we do:

So let's go.

I will show you with an example of a ready-made Kubernetes cluster with Helm version 3 and Ingress, as well as three domain names.

Install and configure OpenLDAP server

We will use OpenLDAP as the LDAP on the ubuntu 18.04 distribution.
Our server name: openldap.dtln.cloud.

We are connected to the server and we begin installation of OpenLDAP. During the installation, we will be prompted to set a password:
```
sudo apt update 
sudo apt install slapd ldap-utils
```
Reconfiguring OpenLDAP for our domain:
```
sudo dpkg-reconfigure slapd 
```
Choose No :
Enter the domain name:
Enter the name of the organization:
Repeat password entry:
We include support for STARTTLS. We put the necessary packages:
```
sudo apt install gnutls-bin ssl-cert
```

CA-:

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

/etc/ssl/ca.info:
```
cn = DTLN Company
ca
cert_signing_key
```

CA-a , :

sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
sudo certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/openldap_key.pem

/etc/ssl/openldap.info:

organization = DTLN Company
cn = openldap.dtln.cloud
tls_www_server
encryption_key
signing_key
expiration_days = 3650

sudo certtool --generate-certificate --load-privkey /etc/ssl/private/openldap_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/openldap.info --outfile /etc/ssl/certs/openldap.pem

OpenLDAP STARTTLS. certinfo.dif:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/openldap.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/openldap_key.pem

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.dif

sudo chgrp openldap /etc/ssl/private/openldap_key.pem
sudo chmod 0640 /etc/ssl/private/openldap_key.pem
sudo gpasswd -a openldap ssl-cert
sudo systemctl restart slapd.service

, /etc/ldap/ldap.conf :
```
TLS_CACERT /etc/ssl/certs/cacert.pem
```

STARTTLS:

ldapwhoami -H ldap://openldap.dtln.cloud -x -ZZ

LDAP-

, x , Kubernetes. content.ldif:

dn: ou=People,dc=openldap,dc=dtln,dc=cloud
objectClass: organizationalUnit
ou: People
dn: cn=jane,ou=People,dc=openldap,dc=dtln,dc=cloud
objectClass: person
objectClass: inetOrgPerson
sn: doe
cn: jane
mail: janedoe@openldap.dtln.cloud
userpassword: foo_password

dn: cn=john,ou=People,dc=openldap,dc=dtln,dc=cloud
objectClass: person
objectClass: inetOrgPerson
sn: doe
cn: john
mail: johndoe@openldap.dtln.cloud
userpassword: bar_password

# Group definitions.

dn: ou=Groups,dc=openldap,dc=dtln,dc=cloud
objectClass: organizationalUnit
ou: Groups

dn: cn=admins,ou=Groups,dc=openldap,dc=dtln,dc=cloud
objectClass: groupOfNames
cn: admins
member: cn=jane,ou=People,dc=openldap,dc=dtln,dc=cloud

dn: cn=developers,ou=Groups,dc=openldap,dc=dtln,dc=cloud
objectClass: groupOfNames
cn: developers
member: cn=jane,ou=People,dc=openldap,dc=dtln,dc=cloud
member: cn=john,ou=People,dc=openldap,dc=dtln,dc=cloud

Expand the described structure with the command:

ldapadd -x -D cn=admin,dc=openldap,dc=dtln,dc=cloud -W -f content.ldif

Make sure our users are in the directory:

ldapwhoami -vvv -h openldap.dtln.cloud -p 389 -D cn=john,ou=People,dc=openldap,dc=dtln,dc=cloud -x -w bar_password -ZZ
ldapwhoami -vvv -h openldap.dtln.cloud -p 389 -D cn=jane,ou=People,dc=openldap,dc=dtln,dc=cloud -x -w foo_password -ZZ

We connect support for OpenID Connect

Let's move on to the Kubernetes cluster setup.

We use the domain dex.ash.dtln.cloud to access the Dex API server, and login.ash.dtln.cloud to access the cluster.

We deployed the cluster without the kubeadm or kops installers, so the OIDC configuration can be immediately added to the systemd unit. In other cases, the configuration is best done using these utilities.

We edit the unit /etc/systemd/system/kube-apiserver.service and add the startup parameters to the ExecStart section :

--oidc-client-id=dex-k8s-authenticator \
--oidc-groups-claim=groups \
--oidc-username-claim=email \
--oidc-issuer-url=https://dex.ash.dtln.cloud/ \

We restart our APIs, check that they have risen:

sudo systemctl daemon-reload
sudo systemctl restart kube-apiserver
sudo systemctl status kube-apiserver

Create a multi-domain certificate

Now go to the Kubernetes cluster.

We install cert-manager using Helm:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager --namespace kube-system jetstack/cert-manager --version v0.13.0

We describe the request for a SAN certificate for our domains in cert.yml:

---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-dex
spec:
  acme:
    email: kubernetes@dataline.ru
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-key-dex
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: auth-dex
  namespace: kube-system
spec:
  secretName: cert-auth-dex
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-dex
  commonName: dex.ash.dtln.cloud
  dnsNames:
  - dex.ash.dtln.cloud
  - login.ash.dtln.cloud

We execute the command:
```
kubectl apply -f cert.yaml
```

Now we look at the status of our certificate request with the following commands:

kubectl get certificates --all-namespaces
kubectl get challenges --all-namespaces

We are waiting for confirmation, the process may take some time:

Install Dex

For Dex, we need ca.crt, ca.key from the master server. Usually they are in the / etc / kubernetes / pki / directory.
We also need the earlier CA certificate with OpenLDAP that we generated, located along the path /etc/ssl/certs/cacert.pem

Download the dex-authenticator sources and go to the directory:

git clone git@github.com:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/

We prepare the config for Dex-auth, paste the contents of the previously copied ca.crt, it is important to observe the indentation:

---
global:
  deployEnv: prod
dexK8sAuthenticator:
  clusters:
    - name: 'ash.dtln.cloud'
      short_description: "k8s cluster"
      description: "Kubernetes cluster"
      issuer: https://dex.ash.dtln.cloud/
      k8s_master_uri: https://kubernetes.dtln.cloud:6443 # url or ip
      client_id: dex-k8s-authenticator
      static_context_name: false
      client_secret: acDEgDEcIg7RX0U7A9hlW2pGGraHDuMAZ4qFEKg2fUHHxr8
      redirect_uri: https://login.ash.dtln.cloud/callback
      k8s_ca_pem: |
        -----BEGIN CERTIFICATE-----
        #   ca.crt
        -----END CERTIFICATE-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - login.ash.dtln.cloud
  tls:
    - secretName: cert-auth-dex
      hosts:
        - login.ash.dtln.cloud

We translate the contents of cacert.pem to base64 to add it to the config:
```
cacert.pem | base64
```

Dex, . staticPasswords bcrypt:

---
global:
  deployEnv: prod
tls:
  certificate: |-
    -----BEGIN CERTIFICATE-----
    # ca.crt
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN RSA PRIVATE KEY-----
    # ca.key
    -----END RSA PRIVATE KEY-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - dex.ash.dtln.cloud
  tls:
    - secretName: cert-auth-dex
      hosts:
        - dex.ash.dtln.cloud
serviceAccount:
  create: true
  name: dex-auth-sa
config:
  issuer: https://dex.ash.dtln.cloud/
  storage:
    type: kubernetes
    config:
      inCluster: true
  web:
    http: 0.0.0.0:5556
  frontend:
    theme: "coreos"
    issuer: "kube-dtln"
    issuerUrl: "https://login.ash.dtln.cloud"
  expiry:
    signingKeys: "6h"
    idTokens: "24h"
  logger:
    level: debug
    format: json
  oauth2:
    responseTypes: ["code", "token", "id_token"]
    skipApprovalScreen: true

  connectors:
  - type: ldap
    id: ldap
    name: LDAP
    config:
      insecureNoSSL: false
      insecureSkipVerify: false
      startTLS: true #   
      rootCAData: |-
        # cacert.pem  base64 
        # 
     
      host: openldap.dtln.cloud:389
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=openldap,dc=dtln,dc=cloud
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      groupSearch:
        baseDN: ou=Groups,dc=openldap,dc=dtln,dc=cloud
        filter: "(objectClass=groupOfNames)"

        userMatchers:
        - userAttr: DN
          groupAttr: member

        nameAttr: cn

  staticClients:
  - id: dex-k8s-authenticator
    name: Kubernetes Dev Cluster
    secret: 'acDEgDEcIg7RX0U7A9hlW2pGGraHDuMAZ4qFEKg2fUHHxr8'
    redirectURIs:
      - https://login.ash.dtln.cloud/callback

  enablePasswordDB: True

  staticPasswords:
    #       base64
  - email: "admin@dtln.cloud"
    # bcrypt hash of the string "password"
    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
    username: "admin"
    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

dex dex-auth- :

helm install dex --namespace kube-system --values dex.yaml charts/dex
helm install dex-auth --namespace kube-system --values dex-auth.yml charts/dex-k8s-authenticator

kubeconfig

, pod’. login.ash.dtln.cloud. , mail- .

static- mail:
Dex-auth. C kubeconfig-. :
Now try to access the cluster and get an error. That's right, our user does not have rights, so let's move on to setting up RBAC.

We configure RBAC authorization

For example, we assign the static user to the cluster-admin system role , and the users of the developers group to the view role, which allows only viewing resources. Then the contents of the crb.yml file should be like this:

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dex-admin
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: User
  name: "admin@dtln.cloud"

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dex-developers
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: Group
  name: "developers"

Switch to the main context and apply the created yaml file to the cluster:
```
kubectl config set-context default
kubectl apply -f crb.yml
```

We look at the available contexts and switch back to our user:

kubectl config get-contexts
kubectl config set-context johndoe-ash.dtln.cloud

This completes the setup of Dex in conjunction with OpenLDAP.

A couple of tips for last:

If problems arise, the first thing to check is the formatting of yaml files and pay attention to the indentation.
Slashes in addresses must match the examples.
pod’ Dex, Dex-auth, kube-api .

Authentication in Kubernetes with Dex: fasten LDAP