Set Up Users for Rok

Rok authenticates users using OIDC. We use Dex as our default OIDC Provider and AuthService as our OIDC Client (authenticating proxy). In this section we will guide you through setting up authentication for Rok, using Dex and AuthService.

More specifically you will need to

  • Change password of default user.
  • Change credentials of OIDC client.

Important

If you are planning to integrate Rok with another OIDC Provider other than Dex, e.g., GitLab, you will need to edit your installation after completing it with Dex. For GitLab, you need to follow the GitLab Authentication guide.

Choose one of the following options to configure authentication:

Option 1: Set Up Users Automatically (preferred)

In this section you will set up users for Rok in an automated manner, using the rok-deploy CLI.

Procedure

Choose one of the following options, based on your cloud provider.

To set up users for Rok, follow the on-screen instructions.

You may now proceed to the Summary section.

Rok does not currently support setting up users automatically. Please follow Option 2: Set Up Users Manually to set up users for Rok.

Option 2: Set Up Users Manually

If you want to set up users for Rok manually, follow this section.

Procedure

By default, Dex is installed with a single static user. To change the default user’s password or create new users, you have to modify Dex’s ConfigMap.

  1. Pick a password for the default user, with handle user, and hash it using bcrypt:

    root@rok-tools:/# python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))'
    
  2. Go inside your clone of the GitOps repo:

    root@rok-tools:/# cd ~/ops/deployments
    
  3. Edit rok/rok-external-services/dex/overlays/deploy/patches/static-user-passwd.yaml by replacing <HASH> with the generated hash of the password you chose:

    ...
      staticPasswords:
      - email: user@example.com
        hash: <HASH>
    
  4. Generate OIDC Client credentials for the AuthService and fill the them in both Dex and AuthService kustomizations:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID="authservice"
    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET="$(openssl rand -base64 32)"
    root@rok-tools:~/ops/deployments# j2 rok/rok-external-services/dex/base/secret_params.env.j2 -o rok/rok-external-services/dex/overlays/deploy/secrets/secret_params.env
    root@rok-tools:~/ops/deployments# j2 rok/rok-external-services/authservice/base/secret_params.env.j2 -o rok/rok-external-services/authservice/overlays/deploy/secrets/secret_params.env
    

    Note

    AuthService uses these credentials to authenticate to Dex.

Summary

You have successfully set up users for Rok, using Dex and the AuthService.

What’s Next

The next step is to deploy Rok.