Set Up Users for Rok¶
Rok authenticates users using OIDC. We use Dex as our default OIDC Provider and AuthService as our OIDC Client (authenticating proxy). In this section we will guide you through setting up authentication for Rok, using Dex and AuthService.
More specifically you will need to
- Change password of default user.
- Change credentials of OIDC client.
If you are planning to integrate Rok with another OIDC Provider other than Dex, e.g., GitLab, you will need to edit your installation after completing it with Dex. For GitLab, you need to follow the GitLab Authentication guide.
Choose one of the following options to configure authentication:
- Option 1: If you have started with the Rok-deploy CLI, follow Option 1: Set Up Users Automatically (preferred).
- Option 2: If you want to set up users manually, follow Option 2: Set Up Users Manually.
In this section you will set up users for Rok in an automated manner, using the
If you want to set up users for Rok manually, follow this section.
By default, Dex is installed with a single static user. To change the default user’s password or create new users, you have to modify Dex’s ConfigMap.
Pick a password for the default user, with handle
user, and hash it using
root@rok-tools:/# python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))'
Go inside your clone of the GitOps repo:
root@rok-tools:/# cd ~/ops/deployments
<HASH>with the generated hash of the password you chose:
... staticPasswords: - email: firstname.lastname@example.org hash: <HASH>
Generate OIDC Client credentials for the AuthService and fill the them in both Dex and AuthService kustomizations:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID="authservice" root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET="$(openssl rand -base64 32)" root@rok-tools:~/ops/deployments# j2 rok/rok-external-services/dex/base/secret_params.env.j2 -o rok/rok-external-services/dex/overlays/deploy/secrets/secret_params.env root@rok-tools:~/ops/deployments# j2 rok/rok-external-services/authservice/base/secret_params.env.j2 -o rok/rok-external-services/authservice/overlays/deploy/secrets/secret_params.env
AuthService uses these credentials to authenticate to Dex.