{"id":1109,"date":"2021-07-15T14:33:29","date_gmt":"2021-07-15T12:33:29","guid":{"rendered":"https:\/\/loeilduse.fr\/?p=1109"},"modified":"2021-07-15T16:12:54","modified_gmt":"2021-07-15T14:12:54","slug":"creer-un-certificat-auto-signe-ldaps-pour-pinniped","status":"publish","type":"post","link":"https:\/\/loeilduse.fr\/?p=1109&lang=fr","title":{"rendered":"Cr\u00e9er un certificat auto-sign\u00e9 LDAPS pour Pinniped"},"content":{"rendered":"<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Afin de simplifier l\u2019authentification des clusters Kubernetes fonctionnant sur diff\u00e9rents clouds, VMware a d\u00e9velopp\u00e9 le projet <a href=\"https:\/\/pinniped.dev\/\">Pinniped<\/a> accessible en Opensource. Pinniped a \u00e9t\u00e9 int\u00e9gr\u00e9 par d\u00e9faut dans l\u2019offre <a href=\"https:\/\/tanzu.vmware.com\/kubernetes-grid\">VMware Tanzu Kubernetes Grid<\/a> (TKG) depuis la version 1.3 \u00a0en remplacement de l\u2019extension <a href=\"https:\/\/github.com\/heptiolabs\/gangway\">Gangway<\/a>. Pinniped permet l&#8217;authentification \u00e0 partir de sources OIDC ou LDAP. Dans le cas de source LDAP, Pinniped ne se connecte pas directement \u00e0 LDAP mais s\u2019appuie pour le moment sur le composant <a href=\"https:\/\/github.com\/dexidp\/dex\">Dex<\/a> comme le faisait d\u00e9j\u00e0 Gangway.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Lorsqu\u2019un utilisateur ex\u00e9cute une commande Kubernetes pour la premi\u00e8re fois ou apr\u00e8s une certaine p\u00e9riode d\u2019inactivit\u00e9, il est invit\u00e9 \u00e0 s\u2019authentifier une seule fois avec son ses identifiants d\u2019entreprise et peut ensuite consommer plusieurs cluster Kubernetes.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">J\u2019ai voulu tester cette fonctionnalit\u00e9 dans mon lab avec un serveur LDAPS\/Active Directory sous Windows 2019 et je me suis vite confront\u00e9 \u00e0 l\u2019\u00e9ternel probl\u00e8me de certificat non sign\u00e9s par une autorit\u00e9 connue. Il fallait donc que je cr\u00e9\u00e9 un certificat qui soit reconnu par le serveur Active Directory. En cherchant des heures sur Internet, j\u2019ai fini par trouver un article (en Anglais) de <a href=\"https:\/\/bl.ocks.org\/magnetikonline\">Peter Mescalchin<\/a> qui a fonctionn\u00e9 du premier coup\u00a0: <a href=\"https:\/\/bl.ocks.org\/magnetikonline\/0ccdabfec58eb1929c997d22e7341e45\">Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers. &#8211; bl.ocks.org.<\/a><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Cependant, quand j\u2019ai voulu utiliser cette proc\u00e9dure avec Pinniped, \u00e7a n\u2019a pas fonctionn\u00e9 car les informations SAN (Subject Alternative Name) n\u2019\u00e9taient pas pr\u00e9sentes dans le certificat. En croisant plusieurs articles sur le sujet, j\u2019ai pu adapter la solution de Peter Mescalchin afin que les certificats int\u00e8grent les informations SAN. Ca donne ceci\u00a0:<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><strong>Cr\u00e9ation du certificat Root<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Via <em><span style=\"font-family: courier new, courier, monospace;\">OpenSSL<\/span> <\/em>(j\u2019ai utilis\u00e9 un Linux Ubuntu) cr\u00e9er une cl\u00e9 priv\u00e9e (<span style=\"font-family: courier new, courier, monospace;\">ca.key<\/span> dans mon exemple) pour pouvoir ensuite cr\u00e9er le certificat root (<span style=\"font-family: courier new, courier, monospace;\">ca.crt<\/span> dans mon exemple). La premi\u00e8re commande vous demandera un mot de passe et la seconde des renseignements sur votre organisation.<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ openssl genrsa -aes256 -out ca.key 4096<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><strong>\u00a0<\/strong><\/span><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><strong>Importer le certificat Root sur le serveur AD<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">A partir du serveur AD, tapez la commande <em><span style=\"font-family: courier new, courier, monospace;\">certlm<\/span> <\/em>ou via Control Pannel, tapez computer certificates dans la barre de recherche\u00a0:<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Attention \u00e0 bien choisir \u201cManage computer certificates\u201d et non \u201cManage user certificates\u00a0\u00bb<\/span><\/p>\n<p style=\"padding-left: 40px;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1113\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Control-Pannel-cert.png\" alt=\"\" width=\"604\" height=\"95\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Control-Pannel-cert.png 604w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Control-Pannel-cert-300x47.png 300w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Importez le <em><span style=\"font-family: courier new, courier, monospace;\">ca.crt<\/span><\/em> pr\u00e9c\u00e9demment g\u00e9n\u00e9r\u00e9 dans la partie \u00ab\u00a0Trusted Root Certification Authorities\\Certificates\u00a0\u00bb<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1114\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/upload-ca-root.png\" alt=\"\" width=\"525\" height=\"264\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/upload-ca-root.png 525w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/upload-ca-root-300x151.png 300w\" sizes=\"(max-width: 525px) 100vw, 525px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><strong>\u00a0<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif; font-size: 14pt;\"><strong>Cr\u00e9ation du certificat Client<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Toujours \u00e0 partir du serveur Active Directory, cr\u00e9er un fichier, dans notre exemple il porte le nom <em><span style=\"font-family: courier new, courier, monospace;\">request.inf<\/span><\/em>. En rouge, j\u2019ai apport\u00e9 les modifications par rapport \u00e0 la proc\u00e9dure initiale afin d\u2019y ajouter les informations SAN. Attention \u00e0 bien mettre dans <em><span style=\"font-family: courier new, courier, monospace;\">CN<\/span> <\/em>le FQDN du serveur AD.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Les valeurs de<span style=\"font-family: courier new, courier, monospace; color: #ff0000;\"> <strong><em>_continue_=\u00a0\u00ab\u00a0dns\u00a0\u00bb<\/em><\/strong><\/span> et<span style=\"font-family: courier new, courier, monospace; color: #ff0000;\"><strong> <em>_continue_=\u00a0\u00ab\u00a0ip-address\u00a0\u00bb<\/em> <\/strong><\/span>correspondent aux valeurs SAN, les autres valeurs possibles pour r\u00e9f\u00e9rencer le serveur AD.<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>[<\/em><em>Version<\/em><em>]<br \/>\n<\/em><em>Signature=&#8221;$Windows NT$&#8221;<\/em><\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>[NewRequest]<br \/>\n<\/em><em>Subject = <span style=\"color: #ff0000;\">&#8220;CN=<\/span><\/em><span style=\"color: #ff0000;\"><strong><em>ad-server.cpod-velocity.az-fkd.cloud-garage.net<\/em><\/strong><\/span><em><span style=\"color: #ff0000;\">&#8220;<\/span><br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>KeySpec = 1<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>KeyLength = 2048<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>Exportable = TRUE<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>MachineKeySet = TRUE<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>SMIME = FALSE<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>PrivateKeyArchive = FALSE<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>UserProtected = FALSE<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>UseExistingKeySet = FALSE<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>ProviderName = &#8220;Microsoft RSA SChannel Cryptographic Provider&#8221;<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>ProviderType = 12<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>RequestType = PKCS10<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>KeyUsage = 0xa0<\/em><\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>[EnhancedKeyUsageExtension]<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication<\/em><\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"color: #ff0000;\"><span style=\"font-family: courier new, courier, monospace;\"><strong><em>[Extensions]<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace;\"><strong><em>; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace;\"><strong><em>2.5.29.17 = &#8220;{text}&#8221;<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace;\"><strong><em>_continue_ = &#8220;dns=ad-server&amp;&#8221;<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace;\"><strong><em>_continue_ = &#8220;dns=ad-server.cpod-velocity.az-fkd.cloud-garage.net&amp;&#8221;<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace;\"><strong><em>_continue_ = &#8220;dns=cloud-garage.net&amp;&#8221;<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace;\"><strong><em>_continue_ = &#8220;ipaddress=172.17.13.9&amp;&#8221;<\/em><\/strong><\/span><\/span><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">G\u00e9n\u00e9rer le fichier <em>client.csr<\/em> avec la commande ci-dessous<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><em><span style=\"font-family: courier new, courier, monospace;\">c:\\&gt; certreq -new request.inf client.csr<\/span><\/em><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">A partir de la machine Linux\u00a0:<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Cr\u00e9er un fichier d\u2019extension, dans notre exemple, il porte le nom de <span style=\"font-family: courier new, courier, monospace;\"><em>v3ext.txt<\/em><\/span>. En rouge, j\u2019ai apport\u00e9 les modifications par rapport \u00e0 la proc\u00e9dure initiale afin d\u2019y ajouter les informations SAN sous la rubrique <em><span style=\"font-family: courier new, courier, monospace;\">v3_ca<\/span><\/em> qui sera r\u00e9f\u00e9renc\u00e9 dans la prochaine commande.<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>keyUsage=digitalSignature,keyEncipherment<br \/>\n<\/em><em>extendedKeyUsage=serverAuth<br \/>\n<\/em><em>subjectKeyIdentifier=hash<\/em><\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"color: #ff0000; font-family: courier new, courier, monospace;\"><em>\u00a0<\/em><strong><em># These extensions are added when &#8216;ca&#8217; signs a request.<br \/>\n<\/em><\/strong><strong><em>[ v3_ca ]<br \/>\n<\/em><\/strong><strong><em>subjectAltName = @alt_names<\/em><\/strong><\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"color: #ff0000; font-family: courier new, courier, monospace;\"><strong><em>[ alt_names ]<br \/>\n<\/em><\/strong><strong><em>DNS.1 = ad-server.cpod-velocity.az-fkd.cloud-garage.net<br \/>\n<\/em><\/strong><strong><em>DNS.2 = ad-server<br \/>\n<\/em><\/strong><strong><em>IP.1 = 172.17.13.9<\/em><\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Toujours \u00e0 partir de la machine Linux, cr\u00e9er le certificat <em>client.crt<\/em> \u00e0 partir des fichiers g\u00e9n\u00e9r\u00e9s dans les \u00e9tapes pr\u00e9c\u00e9dentes <em>ca.crt, ca.key, client.csr et v3ext.txt<\/em> en rouge ce qui a \u00e9t\u00e9 rajout\u00e9 par rapport \u00e0 la commande issue de la proc\u00e9dure initiale<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -set_serial 01 -out client.crt<\/em><span style=\"color: #ff0000;\"><em> <strong>-extensions v3_ca<\/strong><\/em><\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><em>\u00a0<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Pour v\u00e9rifier la pr\u00e9sence des informations SAN<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ openssl x509 -in client.crt -text<br \/>\n<\/em><\/span><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0&#8230;..<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><span style=\"color: #ff0000;\"><strong><em>X509v3 extensions:<br \/>\n<\/em><\/strong><\/span><\/span><span style=\"font-family: courier new, courier, monospace; color: #ff0000;\"><strong><em>\u00a0\u00a0\u00a0 \u00a0\u00a0<\/em><\/strong><strong><em>X509v3 Subject Alternative Name:<br \/>\n<\/em><\/strong><\/span><span style=\"font-family: courier new, courier, monospace; color: #ff0000;\"><strong><em>\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DNS:ad-server.cpod-velocity.az-fkd.cloud-garage.net, DNS:ad-server, IP Address:172.17.13.9<\/em><\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><strong>\u00a0<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif; font-size: 14pt;\"><strong>Importer le certificat Client<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">A partir du serveur AD<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>C:\\&gt; certreq -accept client.crt<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Le certificat devrait ainsi appara\u00eetre dans \u00ab\u00a0Personal\\Certificates\u00a0\u00bb<\/span><\/p>\n<p style=\"padding-left: 40px;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1116\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/create-user-ca.png\" alt=\"\" width=\"604\" height=\"94\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/create-user-ca.png 604w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/create-user-ca-300x47.png 300w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><\/p>\n<p style=\"text-align: justify;\">Pour que le certificat soit pris en compte, il faut soit red\u00e9marrer le serveur AD ou forcer LDAPS \u00e0 charger le certificat avec la proc\u00e9dure ci-dessous\u00a0:<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Toujours \u00e0 partir du serveur AD, cr\u00e9er un fichier text, dans notre exemple il se nome <em>ldap-renewservercert.txt<\/em> avec le contenu ci-dessous (attention la fin du fichier comprend une ligne avec un \u2013 (un tiret) :<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>dn:<br \/>\n<\/em><em>changetype: modify<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>add: renewServerCertificate<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>renewServerCertificate: 1<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>&#8211;<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Puis tappez la commande ci-dessous :<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>c:\\&gt; ldifde -i -f ldap-renewservercert.txt<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Pour tester la prise en compte<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Utilisez l\u2019utilitaire <span style=\"font-family: courier new, courier, monospace;\"><em>ldp.exe<\/em><\/span> en s\u00e9lectionnant le port 636 (ou un autre s&#8217;il est sp\u00e9cifique) et en cochant la case SSL.<\/span><\/p>\n<p style=\"padding-left: 40px;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1117\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/ldp-exe.png\" alt=\"\" width=\"440\" height=\"254\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/ldp-exe.png 440w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/ldp-exe-300x173.png 300w\" sizes=\"(max-width: 440px) 100vw, 440px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Une fois toute la proc\u00e9dure effectu\u00e9e, il faut r\u00e9cup\u00e9rer le <span style=\"font-family: courier new, courier, monospace;\">ca.crt<\/span> g\u00e9n\u00e9r\u00e9 \u00e0 la premi\u00e8re \u00e9tape pour le donner \u00e0 Pinniped. Cela peut se faire soit au moment de la cr\u00e9ation du cluster de management TKG ou soit \u00e0 post\u00e9riori.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14pt;\"><strong><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Si le cluster de management n&#8217;a pas encore \u00e9tait cr\u00e9\u00e9 :<\/span><\/strong><\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ tanzu management-cluster create &#8211;ui<br \/>\n(il y a deux tirets avant l&#8217;argument ui mais WordPress n&#8217;en n&#8217;affiche qu&#8217;un seul)<br \/>\n<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Dans mon test j\u2019ai choisi vSphere comme plate-forme, \u00e0 l\u2019\u00e9tape identity manager il faudra copier le certificat dans la partie ROOT CA<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><u><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1118\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/tkg-ui-ca.png\" alt=\"\" width=\"604\" height=\"312\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/tkg-ui-ca.png 604w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/tkg-ui-ca-300x155.png 300w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><\/u><\/span><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14pt;\"><strong><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Si le cluster de management TKG a d\u00e9j\u00e0 \u00e9tait cr\u00e9\u00e9 et que vous souhaitez le mettre \u00e0 jour\u00a0:<\/span><\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">A partir du contexte Kubernetes du cluster de manager, chiffrez le certificat Root du serveur AD avec la commande <span style=\"font-family: courier new, courier, monospace;\">base64<\/span> et r\u00e9cup\u00e9rez le r\u00e9sultat :<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ base64 -w 0 ca.crt<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Modifier le certificat dans la configmap <em><span style=\"font-family: courier new, courier, monospace;\">dex<\/span> <\/em>par le r\u00e9sultat de la commande pr\u00e9c\u00e9dente\u00a0:<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><em><span style=\"font-family: courier new, courier, monospace;\">$ kubectl edit configmap -n tanzu-system-auth dex<\/span><br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em># Please edit the object below. Lines beginning with a &#8216;#&#8217; will be ignored,<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em># and an empty file will abort the edit. If an error occurs while saving this file will be<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em># reopened with the relevant failures.<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>#<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>apiVersion: v1<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>data:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0 config.yaml: |<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 issuer: https:\/\/172.17.13.10:30167<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 frontend:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 theme: tkg<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 <\/em><em>web:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 https: 0.0.0.0:5556<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tlsCert: \/etc\/dex\/tls\/tls.crt<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tlsKey: \/etc\/dex\/tls\/tls.key<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 <\/em><em>expiry:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 signingKeys: 90m<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 idTokens: 5m<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 logger:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 level: info<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 format: json<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 staticClients:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211; id: pinniped-client-id<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 name: pinniped-client-id<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 redirectURIs:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211; https:\/\/172.17.13.10:31234\/callback<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 secret: 089db7e23b19cb628ba841b17cc32ea4<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0 connectors:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211; type: ldap<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 id: ldap<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 name: LDAP<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0config:<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 host: ad-server.cpod-velocity.az-fkd.cloud-garage.net:636<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 insecureSkipVerify: false<br \/>\nbindDN: cn=administrator,cn=Users,dc=velocity,dc=local<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 bindPW: $BIND_PW_ENV_VAR<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 usernamePrompt: LDAP Username<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/em><em>rootCAData:<br \/>\n<span style=\"color: #ff0000;\">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdQekNDQkNlZ0F3SUJBZ0lVU2tQd0JPazVYRVFLRlpydXdwZXBoeTlINndzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dhNHhDek<br \/>\nKQmdOVkJBWVRBa1pTTVF3d0NnWURWUVFJREFOSlJFWXhEakFNQmdOVkJBY01CVkJoY21segpNUlF3RWdZRFZRUUtEQXRNYjJWcGJDMWtkUzFUUlRFTE1Ba0dBMVVFQ3d3Q1UwVXhPRE<br \/>\nEyQmdOVkJBTU1MMkZrCkxYTmxjblpsY2k1amNHOWtMWFpsYkc5amFYUjVMbUY2TFdaclpDNWpiRzkxWkMxbllYSmhaMlV1Ym1WME1TUXcKSWdZSktvWklodmNOQVFrQkZoVm1ZbVZ1Y<br \/>\n21WcVpHRnNRSFp0ZDJGeVpTNWpiMjB3SGhjTk1qRXdOekEzTURjeQpNekl5V2hjTk16RXdOekExTURjeU16SXlXakNCcmpFTE1Ba0dBMVVFQmhNQ1JsSXhEREFLQmdOVkJBZ01BMGxFClJqRU9NQXdHQTFVRUJ3d0ZVR0Z5YVhNeEZEQVNCZ05WQkFvTUMweHZaV2xzTFdSMUxWTkZNUXN3Q1FZRFZRUUwKREFKVFJURTRNRFlHQTFVRUF3d3ZZV1F0YzJWeWRtVnlMbU53YjJ<br \/>\nRdGRtVnNiMk5wZEhrdVlYb3RabXRrTG1OcwpiM1ZrTFdkaGNtRm5aUzV1WlhReEpEQWlCZ2txaGtpRzl3MEJDUUVXRldaaVpXNXlaV3BrWVd4QWRtMTNZWEpsCkxtTnZiVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29DZ2dJQkFMaWx0WE81WkxNOFRzZ0YKMXFxRFFURi9xV1EzTGkvalU2ZFJqM1VMLys2YitRL0VUVjdIb2VLMi9hK09UdHlRbzY4c<br \/>\nk9ySTVJRjNNWlJqKwpzU0JuWC9SejczczYvVjArWXhJTFozSmNNenlWUzZtR1ZhNTZBTmFZRFRqSkErUzF5enZJczFpZXdMWDR2YlFzCnJRdFE2NVphb3NYbFlMSWpxdzZCY01TZUlX<br \/>\nNUlUWitlUVF3emlkN2t5ZFBYNDdTBSSm1vR\u2026..1<br \/>\n<\/span><\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<span style=\"color: #ff0000;\"> \u2026.<\/span><\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Relancer le pod <span style=\"font-family: courier new, courier, monospace;\"><em>dex<\/em> <\/span>dans le namespace <span style=\"font-family: courier new, courier, monospace;\"><em>tanzu-system-auth <\/em><\/span>pour qu\u2019il prenne en compte la modification.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: trebuchet ms, geneva, sans-serif; font-size: 14pt;\">Une fois le cluster de management avec le bon certificat<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">A partir de l\u00e0, cr\u00e9er un cluster de workload :<br \/>\n<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ tanzu cluster create my-cluster -f &lt;fichier-environnement&gt;<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Importer le Kubeconfig d\u2019administration du cluster de workload cr\u00e9\u00e9\u00a0:<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ tanzu cluster kubeconfig get my-cluster &#8211;admin<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>(il y a deux tirets avant l&#8217;argument admin mais WordPress n&#8217;en n&#8217;affiche qu&#8217;un seul)<\/em><\/span><\/p>\n<p>Se connecter au cluster de workload avec le context admin, en tant qu&#8217;admin pas besoin de compte :<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ kubectl use-context my-cluster<strong>-admin<\/strong>@my-cluster<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Cr\u00e9er un cluster r\u00f4le binding avec le r\u00f4le qui vous int\u00e9resse (ici cluster-admin) pour les utilisateurs souhait\u00e9s, \u00e7a permettra \u00e0 l&#8217;utilisateur d&#8217;utiliser ce cluster une fois authentifi\u00e9 :<br \/>\n<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ kubectl create clusterrolebinding admin-fbenrejdal\u00a0 &#8211;clusterrole cluster-admin &#8211;user fbe@velocity.local<br \/>\n(il y a deux tirets avant les arguments clusterrole et user mais WordPress n&#8217;en n&#8217;affiche qu&#8217;un seul)<br \/>\n<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Exporter le kubeconfig du cluster de workload, c&#8217;est ce kubeconfig qu&#8217;il faudra transmettre aux utilisateurs, il n&#8217;a pas de context admin et demandera \u00e0 l&#8217;utilisateur une authentification. L&#8217;utilisateur consommera ce cluster en fonction des droits d\u00e9finis dans <em><span style=\"font-family: courier new, courier, monospace;\">clusterrolebinding<\/span> <\/em>de l&#8217;\u00e9tape pr\u00e9c\u00e9dente :<br \/>\n<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ tanzu cluster kubeconfig get my-cluster &#8211;export-file my-cluster-kubeconfig<br \/>\n<\/em><\/span><span style=\"font-family: courier new, courier, monospace;\"><em>(il y a deux tirets avant l&#8217;argument export mais WordPress n&#8217;en n&#8217;affiche qu&#8217;un seul)<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Lancez une commande kubernetes avec le <\/span><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">fichier kubeconfig g\u00e9n\u00e9r\u00e9, ce qui lancera le navigateur pour permettre l&#8217;authtentification :<br \/>\n<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: courier new, courier, monospace;\"><em>$ kubectl get pods -A &#8211;kubeconfig my-cluster-kubeconfig<br \/>\n(il y a deux tirets avant l&#8217;argument kubeconfig mais WordPress n&#8217;en n&#8217;affiche qu&#8217;un seul)<br \/>\n<\/em><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Vous devriez \u00eatre redirig\u00e9 vers un navigateur avec une page web vous demandant votre nom d\u2019utilisateur et votre mot de passe :<br \/>\n<\/span><\/p>\n<p style=\"padding-left: 40px;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1119\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Pinniped-login.png\" alt=\"\" width=\"604\" height=\"185\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Pinniped-login.png 604w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Pinniped-login-300x92.png 300w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Une fois saisies, vous obtiendrez le r\u00e9sultat de votre derni\u00e8re commande :<br \/>\n<\/span><\/p>\n<p style=\"padding-left: 40px;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1120\" src=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Pinniped-logged.png\" alt=\"\" width=\"400\" height=\"68\" srcset=\"https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Pinniped-logged.png 400w, https:\/\/loeilduse.fr\/wp-content\/uploads\/2021\/07\/Pinniped-logged-300x51.png 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\">Le r\u00e9sultat de la commande pr\u00e9c\u00e9demment pass\u00e9e devrait s&#8217;afficher :<br \/>\n<\/span><\/p>\n<p style=\"text-align: justify; padding-left: 40px;\"><span style=\"font-family: trebuchet ms, geneva, sans-serif;\"><br \/>\n<\/span><span style=\"font-family: courier new, courier, monospace;\">NAMESPACE NAME READY STATUS RESTARTS AGE<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system antrea-agent-q9xpg 2\/2 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system antrea-agent-qlmj8 2\/2 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system antrea-controller-6bb57bd84-6cj58 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system coredns-68d49685bd-bjcps 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system coredns-68d49685bd-vttdw 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system etcd-my-cluster-control-plane-48n9f 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system kube-apiserver-my-cluster-control-plane-48n9f 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system kube-controller-manager-my-cluster-control-plane-48n9f 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system kube-proxy-dntrc 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system kube-proxy-k5m9g 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system kube-scheduler-my-cluster-control-plane-48n9f 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system kube-vip-my-cluster-control-plane-48n9f 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system metrics-server-66cb4fb659-xlprc 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system vsphere-cloud-controller-manager-vmfwl 1\/1 Running 1 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system vsphere-csi-controller-bd8b6cc8c-8ljl8 6\/6 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system vsphere-csi-node-6xqf5 3\/3 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">kube-system vsphere-csi-node-vmbmq 3\/3 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">pinniped-concierge pinniped-concierge-dcd587f97-lk9n5 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">pinniped-concierge pinniped-concierge-dcd587f97-zrnb7 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">pinniped-concierge pinniped-concierge-kube-cert-agent-8a8e3e38 1\/1 Running 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">pinniped-supervisor pinniped-post-deploy-job-4ldt7 0\/1 Completed 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">pinniped-supervisor pinniped-post-deploy-job-m74gz 0\/1 Error 0 7d15h<\/span><br \/>\n<span style=\"font-family: courier new, courier, monospace;\">tkg-system kapp-controller-69c4d4bbb4-kwk5l 1\/1 Running 0 7d15h<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Afin de simplifier l\u2019authentification des clusters Kubernetes fonctionnant sur diff\u00e9rents clouds, VMware a d\u00e9velopp\u00e9 le projet Pinniped accessible en Opensource. Pinniped a \u00e9t\u00e9 int\u00e9gr\u00e9 par d\u00e9faut dans l\u2019offre VMware Tanzu Kubernetes Grid (TKG) depuis la version 1.3 \u00a0en remplacement de l\u2019extension Gangway. Pinniped permet l&#8217;authentification \u00e0 partir de sources OIDC ou LDAP. Dans le cas<\/p><\/div>\n<div class=\"blog-btn\"><a href=\"https:\/\/loeilduse.fr\/?p=1109&#038;lang=fr\" class=\"home-blog-btn\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[147],"tags":[548,177,536,538,468,28,540,542,534,544,546,178],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/loeilduse.fr\/index.php?rest_route=\/wp\/v2\/posts\/1109"}],"collection":[{"href":"https:\/\/loeilduse.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/loeilduse.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/loeilduse.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/loeilduse.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1109"}],"version-history":[{"count":13,"href":"https:\/\/loeilduse.fr\/index.php?rest_route=\/wp\/v2\/posts\/1109\/revisions"}],"predecessor-version":[{"id":1132,"href":"https:\/\/loeilduse.fr\/index.php?rest_route=\/wp\/v2\/posts\/1109\/revisions\/1132"}],"wp:attachment":[{"href":"https:\/\/loeilduse.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/loeilduse.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/loeilduse.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}