Add Static Users in Dex

If you are using Dex as an OIDC provider, and have it configured to use static users, this section will guide you through adding new users.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Specify the email of the new user:

    root@rok-tools:~/ops/deployments# export EMAIL=<EMAIL>
    

    Replace <EMAIL> with the email of the user you want to add. This will be used by the end-user when logging in. For example:

    root@rok-tools:~/ops/deployments# export EMAIL=user@example.com
    
  3. Specify the username for the new user:

    root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>
    

    Replace <USERNAME> with the username of the user you want to add. This should be unique since it will be used for creating the Kubernetes namespace for this user. For example:

    root@rok-tools:~/ops/deployments# export USERNAME=user
    
  4. Choose a password and hash it:

    root@rok-tools:~/ops/deployments# export HASH=$(python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))')
    Password:
    
  5. Generate a user ID:

    root@rok-tools:~/ops/deployments# export USERID=$(cat /proc/sys/kernel/random/uuid)
    
  6. Generate the staticPasswords entry for the new user. Copy the output to your clipboard, as you are going to use it in the next step.

    root@rok-tools:~/ops/deployments# j2 rok/rok-external-services/dex/static-user-entry.yaml.j2
    - email: user@example.com
      hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO
      username: user
      userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
    
  7. Edit the patch for Dex ConfigMap based on your deployment.

    Edit rok/rok-external-services/dex/overlays/deploy/patches/static-user-passwd.yaml and add the previously generated entry to the staticPasswords field.

    staticPasswords:
    ...
    - email: user@example.com
      hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO
      username: user
      userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
    

    Edit kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml and add the previously generated entry to the staticPasswords field.

    staticPasswords:
    ...
    - email: user@example.com
      hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO
      username: user
      userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
    
  8. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -am "Add static user ${USERNAME?} in Dex"
    
  9. Apply the changes based on your deployment.

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/dex/overlays/deploy
    
    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/dex/overlays/deploy
    
  10. Restart Dex for the changes to take effect:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n auth -l app=dex
    
  11. Verify that Dex is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments (develop)# kubectl get pods -n auth
    NAME                   READY   STATUS    RESTARTS   AGE
    dex-655d4cfd66-xhkxb   1/1     Running   0          1m
    
    Troubleshooting
    The pod status is ‘CrashLoopBackOff’.

    Most likely the password hash is malformed. Looking at its logs you should see:

    error parse config file /etc/dex/cfg/config.yaml: error unmarshaling JSON: malformed bcrypt hash: crypto/bcrypt: hashedSecret too short to be a bcrypted password
    

    Make sure the hash generated in first step is also the one in the ConfigMap patch.

Summary

You have successfully added a static user in Dex.

What’s Next

Check out the rest of the maintenance operations that you can perform on your cluster.