Add Static Users in Dex

If you are using Dex as an OIDC provider, and have it configured to use static users, this section will guide you through adding new users.

What You'll Need


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Specify the email of the new user:

    root@rok-tools:~/ops/deployments# export EMAIL=<EMAIL>

    Replace <EMAIL> with the email of the user you want to add. This will be used by the end-user when logging in. For example:

    root@rok-tools:~/ops/deployments# export
  3. Specify the username for the new user:

    root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>

    Replace <USERNAME> with the username of the user you want to add. This should be unique since it will be used for creating the Kubernetes namespace for this user. For example:

    root@rok-tools:~/ops/deployments# export USERNAME=user
  4. Choose a password and hash it:

    root@rok-tools:~/ops/deployments# export HASH=$(python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))')
  5. Generate a user ID:

    root@rok-tools:~/ops/deployments# export USERID=$(cat /proc/sys/kernel/random/uuid)
  6. Generate the staticPasswords entry for the new user. Copy the output to your clipboard, as you are going to use it in the next step.

    root@rok-tools:~/ops/deployments# cat <<EOF
    > - email: ${EMAIL?}
    >   hash: ${HASH?}
    >   username: ${USERNAME?}
    >   userID: ${USERID?}
    > EOF
    - email:
      hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO
      username: user
      userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
  7. Edit kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml and add the previously generated entry to the staticPasswords field.

    - email:
      hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO
      username: user
      userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
  8. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -am "Add static user ${USERNAME?} in Dex"
  9. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/dex/overlays/deploy
  10. Restart Dex for the changes to take effect:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n auth -l app=dex


  1. Verify that Dex is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments (develop)# kubectl get pods -n auth
    NAME                   READY   STATUS    RESTARTS   AGE
    dex-655d4cfd66-xhkxb   1/1     Running   0          1m


    The pod status is 'CrashLoopBackOff'.

    Most likely the password hash is malformed. Looking at its logs you should see:

    error parse config file /etc/dex/cfg/config.yaml: error unmarshaling JSON: malformed bcrypt hash: crypto/bcrypt: hashedSecret too short to be a bcrypted password

    Make sure the hash generated in first step is also the one in the ConfigMap patch.


You have successfully added a static user in Dex.

What's Next

Check out the rest of the maintenance operations that you can perform on your cluster.