Add Static Users in Dex

If you are using Dex as an OIDC provider, and have it configured to use static users, this section will guide you through adding new users.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Specify the email of the new user:

    root@rok-tools:~/ops/deployments# export EMAIL=<EMAIL>

    Replace <EMAIL> with the email of the user you want to add. This will be used by the end-user when logging in. For example:

    root@rok-tools:~/ops/deployments# export EMAIL=user@example.com
  3. Specify the username for the new user:

    root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>

    Replace <USERNAME> with the username of the user you want to add. This should be unique since it will be used for creating the Kubernetes namespace for this user. For example:

    root@rok-tools:~/ops/deployments# export USERNAME=user
  4. Choose a password and hash it:

    root@rok-tools:~/ops/deployments# export HASH=$(python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))') Password:
  5. Generate a user ID:

    root@rok-tools:~/ops/deployments# export USERID=$(cat /proc/sys/kernel/random/uuid)
  6. Generate the staticPasswords entry for the new user. Copy the output to your clipboard, as you are going to use it in the next step.

    root@rok-tools:~/ops/deployments# cat <<EOF > - email: ${EMAIL?} > hash: ${HASH?} > username: ${USERNAME?} > userID: ${USERID?} > EOF - email: user@example.com hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO username: user userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
  7. Edit kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml and add the previously generated entry to the staticPasswords field.

    staticPasswords: ... - email: user@example.com hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO username: user userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
  8. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -am "Add static user ${USERNAME?} in Dex"
  9. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/dex/overlays/deploy
  10. Restart Dex for the changes to take effect:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n auth -l app=dex

Verify

  1. Verify that Dex is up-and-running. Check pod status and verify field STATUS is Running and field READY is 2/2:

    root@rok-tools:~/ops/deployments (develop)# kubectl get pods -n auth NAME READY STATUS RESTARTS AGE dex-0 2/2 Running 0 1m

    Troubleshooting

    The pod status is ‘CrashLoopBackOff’.

    Most likely the password hash is malformed. Looking at its logs you should see:

    error parse config file /etc/dex/cfg/config.yaml: error unmarshaling JSON: malformed bcrypt hash: crypto/bcrypt: hashedSecret too short to be a bcrypted password

    Make sure the hash generated in first step is also the one in the ConfigMap patch.

Summary

You have successfully added a static user in Dex.

What’s Next

Check out the rest of the maintenance operations that you can perform on your cluster.