Configure Rok Registry to Use Dex

Rok Registry authenticates users using Dex as the default OIDC Provider. This guide will walk you through configuring Rok Registry to use Dex.

Choose one of the following options to configure authentication:

Option 1: Configure Rok Registry to Use Dex Automatically (preferred)

Rok Registry does not currently support automatic configuration for Dex. Please follow Option 2: Configure Rok Registry to Use Dex Manually to configure Rok Registry to use Dex.

Option 2: Configure Rok Registry to Use Dex Manually

If you want to configure Rok Registry to use Dex as an OIDC provider manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Generate OIDC Client credentials for Rok Registry and copy the client secret:

    root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_ID="fort"
    root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_SECRET="$(openssl rand \ > -hex 32)" && echo $REGISTRY_OIDC_CLIENT_SECRET fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
  3. Append the client credentials you generated in the previous step to kubeflow/manifests/common/dex/overlays/deploy/secret_params.env:

    REGISTRY_OIDC_CLIENT_ID=fort REGISTRY_OIDC_CLIENT_SECRET=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
  4. Add a new entry to the staticClients field of the kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml patch, that looks like the following:

    staticClients: ... - idEnv: REGISTRY_OIDC_CLIENT_ID redirectURIs: ["/registry/oidc-callback/dex"] name: Fort secretEnv: REGISTRY_OIDC_CLIENT_SECRET
  5. Edit the rok/rok-registry-cluster/overlays/deploy/kustomization.yaml file and comment out the following line to disable the default local user that comes with Rok Registry:

    patchesStrategicMerge: ... #- patches/rokregistrycluster-enable-default-user.yaml # <-- Comment this line out
  6. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml patch and add the following to enable authentication via OIDC providers:

    apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: configVars: fort.auth_methods: social
  7. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml patch and add the following to configure Rok Registry to use Dex as an OIDC provider:

    apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: socialProviders: dex: name: Dex type: generic client_id: fort redirect_uri: "/registry/oidc-callback/dex" token_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/token" userinfo_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/userinfo" authorization_endpoint: "/dex/auth" scopes: - profile - email - groups mapping: name: nickname
  8. Create the rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials file and add the client secret you generated in step 2:

    dex=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
  9. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml patch and add the following to pass the client secret to the Rok Registry deployment:

    apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: socialProviderCredentialsSecret: rok-registry-social-provider-credentials-secret
  10. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml patch and add the following to allow email symbols (@, +, .) in usernames:

    apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: configVars: fort.allow_email_symbols: true
  11. Edit the rok/rok-registry-cluster/overlays/deploy/kustomization.yaml file and add the following to combine all the previous patches:

    secretGenerator: ... - name: rok-registry-social-provider-credentials-secret envs: - secrets/social_provider_credentials type: Opaque ... patchesStrategicMerge: ... - patches/rokregistrycluster-enable-social-provider.yaml - patches/rokregistrycluster-configure-social-provider.yaml - patches/rokregistrycluster-social-provider-credentials-secret.yaml - patches/rokregistrycluster-allow-email-symbols.yaml
  12. Stage your changes:

    root@rok-tools:~/ops/deployments# git add \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml \ > rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml
  13. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Configure Rok Registry to Use Dex"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Verify you can build the Dex manifests:

    root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy
  3. Verify you can build the Rok Registry manifests:

    root@rok-tools:~/ops/deployments# kustomize build \ > rok/rok-registry-cluster/overlays/deploy

    Troubleshooting

    no matches for OriginalId

    If the above command fails with the following error message:

    Error: no matches for OriginalId ~G_~V_RokRegistryCluster|~X|rok-registry; no matches for CurrentId ~G_~V_RokRegistryCluster|~X|rok-registry; failed to find unique target for patch ~G_~V_RokRegistryCluster|rok-registry

    it means that you have misconfigured the manifests for Rok Registry. Go back to the Procedure and make sure you properly created and edited the necessary manifests.

Summary

You have successfully configured Rok Registry to use Dex as an OIDC provider for authentication.

What’s Next

The next step is to deploy Rok Registry.