Install metallb manifest: ```shell kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.9/config/manifests/metallb-native.yaml ``` Configure metallb: ```shell cat << EOF > config-metallb.yaml apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: default namespace: metallb-system spec: addresses: - 192.168.1.70-192.168.1.89 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: name: default namespace: metallb-system EOF kubectl apply -f config-metallb.yaml ``` Install pinniped CLI: ```shell curl -Lso pinniped https://get.pinniped.dev/v0.23.0/pinniped-cli-linux-amd64 \ && chmod +x pinniped \ && sudo mv pinniped /usr/local/bin/pinniped ``` Install pinniped supervisor: ```shell kubectl apply -f https://get.pinniped.dev/v0.23.0/install-pinniped-supervisor.yaml ``` Create LoadBalancer: ```shell cat << EOF > pinniped-supervisor-lb.yaml apiVersion: v1 kind: Service metadata: name: pinniped-supervisor-loadbalancer namespace: pinniped-supervisor spec: type: LoadBalancer selector: app: pinniped-supervisor ports: - protocol: TCP port: 443 targetPort: 8443 # 8443 is the TLS port. EOF kubectl apply -f pinniped-supervisor-lb.yaml ``` Get LoadBalancer IP: ```shell kubectl get service pinniped-supervisor-loadbalancer \ -o jsonpath='{.status.loadBalancer.ingress[*].ip}' \ --namespace pinniped-supervisor ``` Install cert-manager: ```shell kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml ``` Configure Vault as Intermediate CA: ```shell vault secrets enable pki vault secrets tune -max-lease-ttl=8760h pki vault write pki/intermediate/generate/exported common_name=vault.lab.bowdre.net ttl=87600h alt_names="vault" vault write pki/intermediate/set-signed certificate=@signed_cert.pem vault write pki/config/urls issuing_certificates="https://vault.lab.bowdre.net/v1/pki/ca" crl_distribution_points="https://vault.lab.bowdre.net/v1/pki/crl" vault write pki/roles/lab-bowdre-net allowed_domains=lab.bowdre.net allow_subdomains=true max_ttl=72h vault write pki/issue/lab-bowdre-net common_name=coobernettees.lab.bowdre.net ``` Configure approle auth for cert-manager: ```shell vault auth enable approle cat << EOF | vault policy write cert-manager - path "pki/sign/lab-bowdre-net" { capabilities = ["create", "update", "delete"] } EOF vault write auth/approle/role/cert-manager secret_id_ttl=0 token_policies=["cert-manager"] # get approle role-id (username) vault read auth/approle/role/cert-manager/role-id # get approle secret-id (token) vault write -f auth/approle/role/cert-manager/secret-id ``` ```shell cat << EOF > pinniped-cert-manager.yaml apiVersion: v1 kind: Secret type: Opaque metadata: name: cert-manager-vault-approle namespace: pinniped-supervisor data: secretId: "${VAULT_CERTMAN_SECRETID_B64}" --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: pinniped-vault-issuer namespace: pinniped-supervisor spec: vault: path: pki/sign/lab-bowdre-net server: https://vault.lab.bowdre.net/ caBundle: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEalRDQ0FuV2dBd0lCQWdJUVlVemtVbW5W SnJsSlBtUTk1SFZ0QkRBTkJna3Foa2lHOXcwQkFRc0ZBREJaDQpNUk13RVFZS0NaSW1pWlB5TEdR QkdSWURibVYwTVJZd0ZBWUtDWkltaVpQeUxHUUJHUllHWW05M1pISmxNUk13DQpFUVlLQ1pJbWla UHlMR1FCR1JZRGJHRmlNUlV3RXdZRFZRUURFd3hzWVdJdFYwbE9NREV0UTBFd0hoY05Nakl3DQpN akl6TVRrME5qUTJXaGNOTWpjd01qSXpNVGsxTmpRMldqQlpNUk13RVFZS0NaSW1pWlB5TEdRQkdS WURibVYwDQpNUll3RkFZS0NaSW1pWlB5TEdRQkdSWUdZbTkzWkhKbE1STXdFUVlLQ1pJbWlaUHlM R1FCR1JZRGJHRmlNUlV3DQpFd1lEVlFRREV3eHNZV0l0VjBsT01ERXRRMEV3Z2dFaU1BMEdDU3FH U0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLDQpBb0lCQVFESXp2dG9RRjNvT3VDRmNVc21OcWtHRjVH ZVdBUjNibDN6Y3BmMXJRRy8wMlJrTUhVNFFla1V1QzBwDQo3eFdhTFc1Wmg4aWhlL3BhaVcvMXJO UTB2UnZNcW96OFlTRkhJN3czYStFMjUxQ3BqKy93Z1NUV3JuZUsyYUJ0DQoyellpMTdmcFVIRTV1 R25kYi9TNjVpQk9IdFJzNG5BZ1VPcUFsZ2hjZnlkZU9qd3dMdldJOTdqSFV4a3RhVzE0DQpWUzlh NTlBc0dGTk1rVFY0SzRMRmN1eExxd2lOUkFaTFNOejFuck1uMFlpcTBxenpVbFAvUXlJNVhCMmF2 V2lSDQpveGRJaVZWYm5rRlRJaWxiSUVaNFVKWWNCZFdqQ01nNUZHcGU0SmdaU3dRSDNCMmR6aU01 aVdHc3Z2eklwQUlNDQpyNnFKZTBVNG13V24vUjlGdTVBV0gyZUhrMXV0QWdNQkFBR2pVVEJQTUFz R0ExVWREd1FFQXdJQmhqQVBCZ05WDQpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSd2VR SHVBRGJuVEFnV2NabnFDYnQwY1BwU2JUQVFCZ2tyDQpCZ0VFQVlJM0ZRRUVBd0lCQURBTkJna3Fo a2lHOXcwQkFRc0ZBQU9DQVFFQXg5dVcrK2ZWSEZ1c2sxc1VTeXRFDQpsWEpJVXdocGtGWE1Md2lm Y2VRQ3VwcjlJUjk4UzNzTFI4U2hucGltaVNpbGVXa052cXR5RWVsUHFIM2hEbE9BDQo5bHRzRGY5 dWVWZTRaSVNxejlQMk14NXVGckxhQ1g5cm5vNlVXSjdYRGZyTk0zMHJVd2NwbDdsdG9aQmFoSm80 DQpmWWtDeGx4a1dSQkVmNnlNMzVjQnREVVRHZ1dlNFQ3RG82aDBvRUNSRzlsNTE1b04xRkVRVnpH MEtGWTc5UmZ5DQp3S0xtL2FpVGxPNWp2Q3Q0V1Jjak1vWjhMbU15dStwY1ZyOWwySjhsK0tNUUFq b2UvV1RSOFRMa2duZ2dNNmpIDQo0bUNIWENOWVlxNGJJVVZKWDlVVzMxL1FhRnpZeXl5Smg4cHhI YVF1RkllZVFBUDY5aW1WRjM2QmViTlMwYkh2DQowdz09DQotLS0tLUVORCBDRVJUSUZJQ0FURS0t LS0tDQo= auth: appRole: path: approle roleId: "${VAULT_CERTMAN_ROLEID}" secretRef: name: cert-manager-vault-approle key: secretId EOF kubectl apply -f pinniped-cert-manager.yaml k -n pinniped-supervisor get issuers pinniped-vault-issuer -o wide NAME READY STATUS AGE vault-issuer True Vault verified 2m16s ``` Create cert request for pinniped-supervisor ```shell cat < pinniped-cert-request.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: supervisor-tls-cert-request namespace: pinniped-supervisor spec: secretName: supervisor-tls-cert commonName: "pinniped-supervisor.lab.bowdre.net" issuerRef: name: pinniped-vault-issuer dnsNames: - "pinniped-supervisor.lab.bowdre.net" EOF kubectl apply -f pinniped-cert-request.yaml ``` Create FederationDomain: ```shell cat < pinniped-federationdomain.yaml apiVersion: config.supervisor.pinniped.dev/v1alpha1 kind: FederationDomain metadata: name: federation-domain namespace: pinniped-supervisor spec: # You can choose an arbitrary path for the issuer URL. issuer: "https://pinniped-supervisor.lab.bowdre.net/issuer" tls: # The name of the secretName from the cert-manager Certificate # resource above. secretName: supervisor-tls-cert EOF kubectl apply -f pinniped-federationdomain.yaml ``` Create ActiveDirectoryIdentityProvider ```shell cat << EOF > pinniped-ad-idp.yaml apiVersion: v1 kind: Secret metadata: name: active-directory-bind-account namespace: pinniped-supervisor type: kubernetes.io/basic-auth data: # The dn (distinguished name) of your Active Directory bind account. # Remember to b64 encode without newlines: # echo -n "string" | base64 -w 0 username: "${LDAP_BIND_USERNAME_B64}" # The password of your Active Directory bind account. password: "${LDAP_BIND_PASSWORD_B64}" --- apiVersion: idp.supervisor.pinniped.dev/v1alpha1 kind: ActiveDirectoryIdentityProvider metadata: name: lab-bowdre-net-idp namespace: pinniped-supervisor spec: # Specify the host of the Active Directory server. host: "win01.lab.bowdre.net:636" # Specify the name of the Kubernetes Secret that contains your Active # Directory bind account credentials. This service account will be # used by the Supervisor to perform LDAP user and group searches. bind: secretName: "active-directory-bind-account" tls: certificateAuthorityData: |+ LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEalRDQ0FuV2dBd0lCQWdJUVlVemtVbW5W SnJsSlBtUTk1SFZ0QkRBTkJna3Foa2lHOXcwQkFRc0ZBREJaDQpNUk13RVFZS0NaSW1pWlB5TEdR QkdSWURibVYwTVJZd0ZBWUtDWkltaVpQeUxHUUJHUllHWW05M1pISmxNUk13DQpFUVlLQ1pJbWla UHlMR1FCR1JZRGJHRmlNUlV3RXdZRFZRUURFd3hzWVdJdFYwbE9NREV0UTBFd0hoY05Nakl3DQpN akl6TVRrME5qUTJXaGNOTWpjd01qSXpNVGsxTmpRMldqQlpNUk13RVFZS0NaSW1pWlB5TEdRQkdS WURibVYwDQpNUll3RkFZS0NaSW1pWlB5TEdRQkdSWUdZbTkzWkhKbE1STXdFUVlLQ1pJbWlaUHlM R1FCR1JZRGJHRmlNUlV3DQpFd1lEVlFRREV3eHNZV0l0VjBsT01ERXRRMEV3Z2dFaU1BMEdDU3FH U0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLDQpBb0lCQVFESXp2dG9RRjNvT3VDRmNVc21OcWtHRjVH ZVdBUjNibDN6Y3BmMXJRRy8wMlJrTUhVNFFla1V1QzBwDQo3eFdhTFc1Wmg4aWhlL3BhaVcvMXJO UTB2UnZNcW96OFlTRkhJN3czYStFMjUxQ3BqKy93Z1NUV3JuZUsyYUJ0DQoyellpMTdmcFVIRTV1 R25kYi9TNjVpQk9IdFJzNG5BZ1VPcUFsZ2hjZnlkZU9qd3dMdldJOTdqSFV4a3RhVzE0DQpWUzlh NTlBc0dGTk1rVFY0SzRMRmN1eExxd2lOUkFaTFNOejFuck1uMFlpcTBxenpVbFAvUXlJNVhCMmF2 V2lSDQpveGRJaVZWYm5rRlRJaWxiSUVaNFVKWWNCZFdqQ01nNUZHcGU0SmdaU3dRSDNCMmR6aU01 aVdHc3Z2eklwQUlNDQpyNnFKZTBVNG13V24vUjlGdTVBV0gyZUhrMXV0QWdNQkFBR2pVVEJQTUFz R0ExVWREd1FFQXdJQmhqQVBCZ05WDQpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSd2VR SHVBRGJuVEFnV2NabnFDYnQwY1BwU2JUQVFCZ2tyDQpCZ0VFQVlJM0ZRRUVBd0lCQURBTkJna3Fo a2lHOXcwQkFRc0ZBQU9DQVFFQXg5dVcrK2ZWSEZ1c2sxc1VTeXRFDQpsWEpJVXdocGtGWE1Md2lm Y2VRQ3VwcjlJUjk4UzNzTFI4U2hucGltaVNpbGVXa052cXR5RWVsUHFIM2hEbE9BDQo5bHRzRGY5 dWVWZTRaSVNxejlQMk14NXVGckxhQ1g5cm5vNlVXSjdYRGZyTk0zMHJVd2NwbDdsdG9aQmFoSm80 DQpmWWtDeGx4a1dSQkVmNnlNMzVjQnREVVRHZ1dlNFQ3RG82aDBvRUNSRzlsNTE1b04xRkVRVnpH MEtGWTc5UmZ5DQp3S0xtL2FpVGxPNWp2Q3Q0V1Jjak1vWjhMbU15dStwY1ZyOWwySjhsK0tNUUFq b2UvV1RSOFRMa2duZ2dNNmpIDQo0bUNIWENOWVlxNGJJVVZKWDlVVzMxL1FhRnpZeXl5Smg4cHhI YVF1RkllZVFBUDY5aW1WRjM2QmViTlMwYkh2DQowdz09DQotLS0tLUVORCBDRVJUSUZJQ0FURS0t LS0tDQo= EOF kubectl apply -f pinniped-ad-idp.yaml ``` Install Concierge ```shell kubectl apply -f https://get.pinniped.dev/v0.23.0/install-pinniped-concierge-crds.yaml kubectl apply -f https://get.pinniped.dev/v0.23.0/install-pinniped-concierge-resources.yaml ``` Configure Concierge ```shell cat << EOF > pinniped-concierge.yaml apiVersion: authentication.concierge.pinniped.dev/v1alpha1 kind: JWTAuthenticator metadata: name: my-supervisor-authenticator spec: # The value of the issuer field should exactly match the issuer # field of your Supervisor's FederationDomain. issuer: https://pinniped-supervisor.lab.bowdre.net/issuer # You can use any audience identifier for your cluster, but it is # important that it is unique for security reasons. audience: kates-$(openssl rand -hex 8) # If the TLS certificate of your FederationDomain is not signed by # a standard CA trusted by the Concierge pods by default, then # specify its CA here as a base64-encoded PEM. tls: certificateAuthorityData: |+ LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEalRDQ0FuV2dBd0lCQWdJUVlVemtVbW5W SnJsSlBtUTk1SFZ0QkRBTkJna3Foa2lHOXcwQkFRc0ZBREJaDQpNUk13RVFZS0NaSW1pWlB5TEdR QkdSWURibVYwTVJZd0ZBWUtDWkltaVpQeUxHUUJHUllHWW05M1pISmxNUk13DQpFUVlLQ1pJbWla UHlMR1FCR1JZRGJHRmlNUlV3RXdZRFZRUURFd3hzWVdJdFYwbE9NREV0UTBFd0hoY05Nakl3DQpN akl6TVRrME5qUTJXaGNOTWpjd01qSXpNVGsxTmpRMldqQlpNUk13RVFZS0NaSW1pWlB5TEdRQkdS WURibVYwDQpNUll3RkFZS0NaSW1pWlB5TEdRQkdSWUdZbTkzWkhKbE1STXdFUVlLQ1pJbWlaUHlM R1FCR1JZRGJHRmlNUlV3DQpFd1lEVlFRREV3eHNZV0l0VjBsT01ERXRRMEV3Z2dFaU1BMEdDU3FH U0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLDQpBb0lCQVFESXp2dG9RRjNvT3VDRmNVc21OcWtHRjVH ZVdBUjNibDN6Y3BmMXJRRy8wMlJrTUhVNFFla1V1QzBwDQo3eFdhTFc1Wmg4aWhlL3BhaVcvMXJO UTB2UnZNcW96OFlTRkhJN3czYStFMjUxQ3BqKy93Z1NUV3JuZUsyYUJ0DQoyellpMTdmcFVIRTV1 R25kYi9TNjVpQk9IdFJzNG5BZ1VPcUFsZ2hjZnlkZU9qd3dMdldJOTdqSFV4a3RhVzE0DQpWUzlh NTlBc0dGTk1rVFY0SzRMRmN1eExxd2lOUkFaTFNOejFuck1uMFlpcTBxenpVbFAvUXlJNVhCMmF2 V2lSDQpveGRJaVZWYm5rRlRJaWxiSUVaNFVKWWNCZFdqQ01nNUZHcGU0SmdaU3dRSDNCMmR6aU01 aVdHc3Z2eklwQUlNDQpyNnFKZTBVNG13V24vUjlGdTVBV0gyZUhrMXV0QWdNQkFBR2pVVEJQTUFz R0ExVWREd1FFQXdJQmhqQVBCZ05WDQpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSd2VR SHVBRGJuVEFnV2NabnFDYnQwY1BwU2JUQVFCZ2tyDQpCZ0VFQVlJM0ZRRUVBd0lCQURBTkJna3Fo a2lHOXcwQkFRc0ZBQU9DQVFFQXg5dVcrK2ZWSEZ1c2sxc1VTeXRFDQpsWEpJVXdocGtGWE1Md2lm Y2VRQ3VwcjlJUjk4UzNzTFI4U2hucGltaVNpbGVXa052cXR5RWVsUHFIM2hEbE9BDQo5bHRzRGY5 dWVWZTRaSVNxejlQMk14NXVGckxhQ1g5cm5vNlVXSjdYRGZyTk0zMHJVd2NwbDdsdG9aQmFoSm80 DQpmWWtDeGx4a1dSQkVmNnlNMzVjQnREVVRHZ1dlNFQ3RG82aDBvRUNSRzlsNTE1b04xRkVRVnpH MEtGWTc5UmZ5DQp3S0xtL2FpVGxPNWp2Q3Q0V1Jjak1vWjhMbU15dStwY1ZyOWwySjhsK0tNUUFq b2UvV1RSOFRMa2duZ2dNNmpIDQo0bUNIWENOWVlxNGJJVVZKWDlVVzMxL1FhRnpZeXl5Smg4cHhI YVF1RkllZVFBUDY5aW1WRjM2QmViTlMwYkh2DQowdz09DQotLS0tLUVORCBDRVJUSUZJQ0FURS0t LS0tDQo= EOF kubectl apply -f pinniped-concierge.yaml ```