Configure Rok Registry to Use Dex

Rok Registry authenticates users using Dex as the default OIDC Provider. This guide will walk you through configuring Rok Registry to use Dex.

Choose one of the following options to configure authentication:

• Option 1: Configure Rok Registry to Use Dex Automatically (preferred).
• Option 2: Configure Rok Registry to Use Dex Manually.

Air Gapped

Follow Option 2 and proceed with the manual installation.

What You'll Need

• A configured management environment.
• Your clone of the Arrikto GitOps repository.

Option 1: Configure Rok Registry to Use Dex Automatically (preferred)

Rok Registry does not currently support automatic configuration for Dex. Please follow Option 2: Configure Rok Registry to Use Dex Manually to configure Rok Registry to use Dex.

Option 2: Configure Rok Registry to Use Dex Manually

If you want to configure Rok Registry to use Dex as an OIDC provider manually, follow the instructions below.

Procedure

1. Go to your GitOps repository, inside your rok-tools management environment:

   root@rok-tools:~# cd ~/ops/deployments
   

2. Generate OIDC Client credentials for Rok Registry and copy the client secret:

   root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_ID="fort"
   

   root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_SECRET="$(openssl rand \
   >   -hex 32)" && echo $REGISTRY_OIDC_CLIENT_SECRET
   fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
   

3. Append the client credentials you generated in the previous step to kubeflow/manifests/common/dex/overlays/deploy/secret_params.env:

   REGISTRY_OIDC_CLIENT_ID=fort
   REGISTRY_OIDC_CLIENT_SECRET=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
   

4. Set the domain name of your Rok Registry installation:

   root@rok-tools:~/ops/deployments# export FQDN=<FQDN>
   

   Replace <FQDN> with your installation's domain name. For example:

   root@rok-tools:~/ops/deployments# export FQDN=arrikto-cluster.apps.example.com
   

5. Add a new entry to the staticClients field of the kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml patch, that looks like the following:

   staticClients:
   ...
   - idEnv: REGISTRY_OIDC_CLIENT_ID
     redirectURIs: ["https://<FQDN>/registry/oidc-callback/dex"]  # <-- Update this line with your FQDN
     name: Fort
     secretEnv: REGISTRY_OIDC_CLIENT_SECRET
   

   Note

   Replace <FQDN> with your installation's domain name as you set it in the previous step.

6. Edit the rok/rok-registry-cluster/overlays/deploy/kustomization.yaml file and comment out the following line to disable the default local user that comes with Rok Registry:

   patchesStrategicMerge:
   ...
   #- patches/rokregistrycluster-enable-default-user.yaml  # <-- Comment this line out
   

7. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml patch and add the following to enable authentication via OIDC providers:

   apiVersion: crd.arrikto.com/v1alpha1
   kind: RokRegistryCluster
   metadata:
     name: rok-registry
   spec:
     configVars:
       fort.auth_methods: social
   

8. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml patch and add the following to configure Rok Registry to use Dex as an OIDC provider:

   apiVersion: crd.arrikto.com/v1alpha1
   kind: RokRegistryCluster
   metadata:
     name: rok-registry
   spec:
     socialProviders:
       dex:
         name: Dex
         type: generic
         client_id: fort
         token_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/token"
         userinfo_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/userinfo"
         authorization_endpoint: "/dex/auth"
         scopes:
         - profile
         - email
         - groups
         mapping:
           name: nickname
   

9. Create the rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials file and add the client secret you generated in step 2:

   dex=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225
   

10. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml patch and add the following to pass the client secret to the Rok Registry deployment:

    apiVersion: crd.arrikto.com/v1alpha1
    kind: RokRegistryCluster
    metadata:
      name: rok-registry
    spec:
      socialProviderCredentialsSecret: rok-registry-social-provider-credentials-secret
    

11. Create the rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml patch and add the following to allow email symbols (@, +, .) in usernames:

    apiVersion: crd.arrikto.com/v1alpha1
    kind: RokRegistryCluster
    metadata:
      name: rok-registry
    spec:
      configVars:
        fort.allow_email_symbols: true
    

12. Edit the rok/rok-registry-cluster/overlays/deploy/kustomization.yaml file and add the following to combine all the previous patches:

    secretGenerator:
    ...
    - name: rok-registry-social-provider-credentials-secret
      envs:
      - secrets/social_provider_credentials
      type: Opaque
    ...
    patchesStrategicMerge:
    ...
    - patches/rokregistrycluster-enable-social-provider.yaml
    - patches/rokregistrycluster-configure-social-provider.yaml
    - patches/rokregistrycluster-social-provider-credentials-secret.yaml
    - patches/rokregistrycluster-allow-email-symbols.yaml
    

13. Stage your changes:

    root@rok-tools:~/ops/deployments# git add \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml \
    > rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml \
    > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml
    

14. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Configure Rok Registry to Use Dex"
    

Verify

1. Go to your GitOps repository, inside your rok-tools management environment:

   root@rok-tools:~# cd ~/ops/deployments
   

2. Verify you can build the Dex manifests:

   root@rok-tools:~/ops/deployments# kustomize build \
   > kubeflow/manifests/common/dex/overlays/deploy
   

3. Verify you can build the Rok Registry manifests:

   root@rok-tools:~/ops/deployments# kustomize build \
   > rok/rok-registry-cluster/overlays/deploy
   

   Troubleshooting

   no matches for OriginalId

   If the above command fails with the following error message:

   Error: no matches for OriginalId ~G_~V_RokRegistryCluster|~X|rok-registry;
   no matches for CurrentId ~G_~V_RokRegistryCluster|~X|rok-registry;
   failed to find unique target for patch ~G_~V_RokRegistryCluster|rok-registry
   

   it means that you have misconfigured the manifests for Rok Registry. Go back to the Procedure and make sure you properly created and edited the necessary manifests.

Summary

You have successfully configured Rok Registry to use Dex as an OIDC provider for authentication.

What's Next

The next step is to deploy Rok Registry.

• Deploy Rok Registry Components