Configure Rok Registry to Use Dex

Rok Registry authenticates users using Dex as the default OIDC Provider. This guide will walk you through configuring Rok Registry to use Dex.

Choose one of the following options to configure authentication:

Option 1: Configure Rok Registry to Use Dex Automatically (preferred)

In this section you will configure Rok Registry to use Dex as an OIDC provider in an automated manner, using the rok-deploy CLI.

Procedure

Choose one of the following options, based on your cloud provider.

Rok Registry does not currently support automatic configuration for Dex on AWS. Please follow Option 2: Configure Rok Registry to Use Dex Manually to set up the default user for Rok Registry.
Rok Registry does not currently support automatic configuration for Dex on Azure. Please follow Option 2: Configure Rok Registry to Use Dex Manually to set up the default user for Rok Registry.
Rok Registry does not currently support automatic configuration for Dex on GCP. Please follow Option 2: Configure Rok Registry to Use Dex Manually to set up the default user for Rok Registry.

Option 2: Configure Rok Registry to Use Dex Manually

If you want to configure Rok Registry to use Dex as an OIDC provider manually, follow this section.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Generate OIDC Client credentials for Rok Registry and copy the client secret:

    root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_ID="fort"
    root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_SECRET="$(openssl rand \
    >   -hex 32)" && echo $REGISTRY_OIDC_CLIENT_SECRET
    fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
    
  3. Edit the kubeflow/manifests/common/dex/overlays/deploy/secret_params.env file and add the client credentials you generated in the previous step:

    REGISTRY_OIDC_CLIENT_ID=fort
    REGISTRY_OIDC_CLIENT_SECRET=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225  # <-- Update this line with your REGISTRY_OIDC_CLIENT_SECRET
    
  4. Set the domain name of your Rok Registry installation:

    root@rok-tools:~/ops/deployments# export FQDN=<FQDN>
    

    Replace <FQDN> with your installation’s domain name. For example:

    root@rok-tools:~/ops/deployments# export FQDN=arrikto-cluster.apps.example.com
    
  5. Edit the kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml patch and add the following lines to create a new static client in Dex:

    staticClients:
    ...
    - idEnv: REGISTRY_OIDC_CLIENT_ID
      redirectURIs: ["https://<FQDN>/registry/oidc-callback/dex"]  # <-- Update this line with your FQDN
      name: Fort
      secretEnv: REGISTRY_OIDC_CLIENT_SECRET
    
  6. Edit the rok/rok-registry-cluster/overlays/deploy/kustomization.yaml file and comment out the following line to disable the default local user that comes with Rok Registry:

    patchesStrategicMerge:
    ...
    #- patches/rokregistrycluster-enable-default-user.yaml  # <-- Comment this line out
    
  7. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml patch and add the following to enable authentication via OIDC providers:

    apiVersion: crd.arrikto.com/v1alpha1
    kind: RokRegistryCluster
    metadata:
      name: rok-registry
    spec:
      configVars:
        fort.auth_methods: social
    
  8. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml patch and add the following to configure Rok Registry to use Dex as an OIDC provider:

    apiVersion: crd.arrikto.com/v1alpha1
    kind: RokRegistryCluster
    metadata:
      name: rok-registry
    spec:
      socialProviders:
        dex:
          name: Dex
          type: generic
          client_id: fort
          token_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/token"
          userinfo_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/userinfo"
          authorization_endpoint: "/dex/auth"
          scopes:
          - profile
          - email
          - groups
          mapping:
            name: nickname
    
  9. Create the rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials file and add the client secret you generated in step 2:

    dex=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225  # <-- Update this line with your REGISTRY_OIDC_CLIENT_SECRET
    
  10. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml patch and add the following to pass the client secret to the Rok Registry deployment:

    apiVersion: crd.arrikto.com/v1alpha1
    kind: RokRegistryCluster
    metadata:
      name: rok-registry
    spec:
      socialProviderCredentialsSecret: rok-registry-social-provider-credentials-secret
    
  11. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml patch and add the following to allow email symbols (@, +, .) in usernames:

    apiVersion: crd.arrikto.com/v1alpha1
    kind: RokRegistryCluster
    metadata:
      name: rok-registry
    spec:
      configVars:
        fort.allow_email_symbols: true
    
  12. Edit the rok/rok-registry-cluster/overlays/deploy/kustomization.yaml file and add the following to combine all the previous patches:

    secretGenerator:
    ...
    - name: rok-registry-social-provider-credentials-secret
      envs:
      - secrets/social_provider_credentials
      type: Opaque
    ...
    patchesStrategicMerge:
    ...
    - patches/rokregistrycluster-enable-social-provider.yaml
    - patches/rokregistrycluster-configure-social-provider.yaml
    - patches/rokregistrycluster-social-provider-credentials-secret.yaml
    - patches/rokregistrycluster-allow-email-symbols.yaml
    
  13. Stage your changes:

    root@rok-tools:~/ops/deployments# git add \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml \
    > rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml
    
  14. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Configure Rok Registry to Use Dex"
    

Summary

You have successfully configured Rok Registry to use Dex as an OIDC provider for authentication.

What’s Next

The next step is to deploy Rok Registry.