LDAP Integration in VMware Data Services Manager v1.4

I had a recent question about integrating VMware Data Services Manager v1.4 with Microsoft Active Directory for users. This is indeed possible. In this post, I will demonstrate how Organization Admins and Organization Users can be integrated as Active Directory users, and subsequently granted access to Data Services Manager. This is achieved by configuring the LDAP settings in DSM to communicate with Active Directory in this example. The configuration steps include creating two AD Groups in AD, one for Org Admins and one for Org Users. These groups will then be added to one or more organizations in my DSM…

Tanzu Management Cluster Create 101 (5 of 6) – LDAPS Identity Management [Video]

In this penultimate video in the series of installing a Tanzu Kubernetes Grid (Grid) management cluster onto vSphere using the UI, we will look at the optional Identity Management configuration. In particular, we will look at integration with a secure LDAP service (in this demo, Microsoft Active Directory). We will see how to use the “Verify LDAP Configuration” utility to ensure that the LDAPS Endpoint, Bind configuration, and User and Group Search Attributes are functioning as expected before deploying the TKG management cluster onto vSphere. This will result in the deployment of additional packages on the cluster, such as Pinniped…

Securing LDAP with TLS certificates using ClusterIssuer in TKG v1.4

Over the last month or so, I have looked at various ways of securing Tanzu Kubernetes Grid (TKG) clusters. One recent post covered the integration of LDAP through Dex and Pinniped so you can control who can access the the non-admin context of your TKG cluster. I’ve also looked at how TKG clusters that do not have direct access to the internet can use a HTTP/HTTPS proxy. Similarly,  I looked at some tips when deploying TKG in an air-gapped environment, pulling all the necessary images from our external image registry and pushing them to a local Harbor registry. In another…

TKG v1.4 LDAP (Active Directory) integration with Pinniped and Dex

LDAP integration with Pinniped and Dex is a topic that I have written about before, particularly with TKG v1.3. However, recently I had reason to deploy TKG v1.4 and noticed some nice new enhancements around LDAP integration that I thought it worthwhile highlighting. One is the fact that you no longer need to have a web browser available in the environment where you are configuring LDAP credentials which was a requirement is the previous version. In this post, I will deploy a TKG v1.4 management cluster on vSphere. This environment uses the NSX ALB to provide IP addresses for both…

Using Tanzu Mission Control for managing LDAP/AD access policies for workload clusters

I’ve recently been looking at some of the features around Tanzu Mission Control. Tanzu Mission Control (or TMC for short) is a VMware SaaS offering for managing and monitoring your Kubernetes Clusters across multiple clouds. My particular interest on this occasion was around the access policy features, especially when the Tanzu Kubernetes Grid (TKG) workload clusters were deployed with LDAP/Active Directory integration via the Pinniped and Dex packages that are available with TKG. In this post, I will rollout my TKG management cluster, followed by a pair of TKG workload clusters. The TKG management cluster will be automatically integrated with…

TKG v1.4 – Some nice new features

Over the last week or so, VMware recently announced the release of TKG version 1.4. On reading through the release notes, there were a few features that caught my eye, so I thought I would deploy a cluster and take a closer look. In particular, two features were of interest. The first of these is support for the NSX Advanced Load Balancer (ALB) service in workload clusters, which is available through the Avi Kubernetes Operator (AKO). This is applicable when TKG is deployed on vSphere. There is also new support for the NSX ALB as a control plane endpoint provider.…

TKG v1.3 Active Directory Integration with Pinniped and Dex

Tanzu Kubernetes v1.3 introduces OIDC and LDAP identity management with Pinniped and Dex. Pinniped allows you to plug external OpenID Connect (OIDC) or LDAP identity providers (IDP) into Tanzu Kubernetes clusters which in turn allows you to control access to those clusters. Pinniped uses Dex as the endpoint to connect to your upstream LDAP identity provider, e.g. Microsoft Active Directory. If you are using OpenID Connect (OIDC), Dex is not required. It is also my understanding that eventually Pinniped with eventually integrate directly with LDAP as well, removing the need for Dex. But for the moment, both components are required.…