thatDot Products EKS Authentication
Overview
This document will guide a cloud administrator through the process of configuring authentication for thatDot products deployed on AWS EKS with Helm.
The solution recommended and outlined in this document is to use a Kubernetes Ingress configured with an AWS Application Load Balancer (ALB). See also EKS Application LoadBalancing. The user may choose either AWS Cognito or OpenID Connect (OIDC) based authentication. This solution can be created as an extension of an existing deployment of thatDot product Helm charts.
Prerequisites
An EKS cluster already created in an AWS account is required. The administrator should have all relevant permissions to create an AWS ALB and administrate the EKS cluster.
Helm is required to install thatDot products. The thatDot Helm chart repo can be added locally by following the steps here.
A hosted zone is required in AWS Route 53. There also needs to be a valid certificate in AWS Certificate Manager (ACM) for each subdomain you want to host thatDot products under. Please have the hosted zone ID and the ARN for your ACM certificate ready for the following section.
Steps
Install Novelty Helm Chart
Any desired thatDot products should be installed in EKS using thatDot official Helm charts. If one or more products are already installed, these existing instances can be used and this section should be skipped.
- Instructions for Novelty Helm chart
Authentication Provider
The first step is to choose an authentication provider which is either OIDC or AWS Cognito.
For AWS Cognito, you will need to create a user pool or use an existing one. Have the following information ready:
- User Pool ARN
- User Pool Client Id
- User Pool Domain
For OIDC, you will need to create an OIDC application or use an existing one in your chosen OIDC identity provider. Documentation for how to create the OIDC application will be available from your chosen identity provider. Have the following information ready:
- Issuer
- Authorization Endpoint
- Token Endpoint
- User Info Endpoint
- Client ID
- Client Secret
AWS Load Balancer Controller
Reference: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/
The AWS Load Balancer Controller will be required to automatically create an ALB resource based on the Kubernetes Ingress you will be creating in a future step.
To install, follow the AWS Load Balancer Controller installation instructions: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/installation/
Option A for IAM setup is recommended for simplicity.
ExternalDNS
Reference: https://kubernetes-sigs.github.io/external-dns/latest/
The Kubernetes ExternalDNS service will be required to update Route53 records automatically to direct traffic to your ALB. This is required in order to use authentication with the ALB since ALB authentication settings require TLS to be enabled.
There are multiple ways to install ExternalDNS specified in the installation instructions. It is recommended to read and understand that page in its entirety. This will inform you of the best option to use for your particular EKS cluster configuration. Included below are recommended steps for the most straightforward installation procedure.
- Create IAM Policy for External DNS updates: https://kubernetes-sigs.github.io/external-dns/latest/docs/tutorials/aws/#iam-policy
NOTE: Following the principle of least privilege, you may want to replace the: "Resource": [ "arn:aws:route53:::hostedzone/*"]
section from the policy document with only the hosted zone ID for the hosted zone you plan to use.
- Use “IAM Roles for Security Accounts” to create a service account with the required authorization for the External DNS service to use: https://kubernetes-sigs.github.io/external-dns/latest/docs/tutorials/aws/#iam-roles-for-service-accounts
- Deploy ExternalDNS with helm: https://kubernetes-sigs.github.io/external-dns/latest/docs/tutorials/aws/#using-helm-with-oidc
Kubernetes Ingress
The final step is to create a Kubernetes ingress of class alb
. The ingress should forward traffic to the service defined by the Helm chart. For the Novelty helm chart, this service has the default name service/<release-name>-novelty
where <release-name>
is the release name passed to helm during the installation.
In order to configure the ALB, AWS Load Balancer Controller annotations are added to the ingress definition. Here is a full reference of available annotations.
Pay close attention to the authentication annotations. Set values with the information prepared earlier from selecting your authentication provider.
See also, ALB Authentication reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "novelty-authenticated-ingress"
# TODO: fill in the namespace where thatDot helm chart is installed.
namespace: <NAMESPACE>
annotations:
# Below annotation is to specify if the loadbalancer is "internal" or "internet-facing"
alb.ingress.kubernetes.io/scheme: internal
# TODO: Fill in with the ARN of your certificate.
alb.ingress.kubernetes.io/certificate-arn: <CERTIFICATE_ARN> alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
# Set HTTP to HTTPS redirects. Every HTTP listener configured will be redirected to below mentioned port over HTTPS.
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/auth-type: cognito
# TODO: Fill in Cognito IDP Information
alb.ingress.kubernetes.io/auth-idp-cognito: '{"userPoolARN":"arn:aws:cognito-idp:us-west-2:xxx:userpool/xxx","userPoolClientID":"my-clientID","userPoolDomain":"my-domain"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
# TODO: fill in hostname to match certificate in ACM
external-dns.alpha.kubernetes.io/hostname: <HOSTNAME>
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
# TODO: fill in service name
name: "my-novelty-novelty"
port:
number: 80
When this ingress is defined, the installed aws-load-balancer-controller and external-dns services will manage an ALB associated with the ingress. This will create an authenticated access point to your Quine Enterprise cluster or Novelty instance which can be used internally to a VPC or publicly exposed.