Add Static Users in Dex¶
If you are using Dex as an OIDC provider, and have it configured to use static users, this section will guide you through adding new users.
Overview
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- A working Rok or Kubeflow deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deployments
Specify the email of the new user:
root@rok-tools:~/ops/deployments# export EMAIL=<EMAIL>
Replace
<EMAIL>
with the email of the user you want to add. This will be used by the end-user when logging in. For example:root@rok-tools:~/ops/deployments# export EMAIL=user@example.com
Specify the username for the new user:
root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>
Replace
<USERNAME>
with the username of the user you want to add. This should be unique since it will be used for creating the Kubernetes namespace for this user. For example:root@rok-tools:~/ops/deployments# export USERNAME=user
Choose a password and hash it:
root@rok-tools:~/ops/deployments# export HASH=$(python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))') Password:
Generate a user ID:
root@rok-tools:~/ops/deployments# export USERID=$(cat /proc/sys/kernel/random/uuid)
Generate the
staticPasswords
entry for the new user. Copy the output to your clipboard, as you are going to use it in the next step.root@rok-tools:~/ops/deployments# cat <<EOF > - email: ${EMAIL?} > hash: ${HASH?} > username: ${USERNAME?} > userID: ${USERID?} > EOF - email: user@example.com hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO username: user userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
Edit
kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml
and add the previously generated entry to thestaticPasswords
field.staticPasswords: ... - email: user@example.com hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO username: user userID: d28802d7-97a4-4e49-b67d-80c56fcaf530
Commit the changes:
root@rok-tools:~/ops/deployments# git commit -am "Add static user ${USERNAME?} in Dex"
Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/dex/overlays/deploy
Restart Dex for the changes to take effect:
root@rok-tools:~/ops/deployments# kubectl delete pods -n auth -l app=dex
Verify¶
Verify that Dex is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:
root@rok-tools:~/ops/deployments (develop)# kubectl get pods -n auth NAME READY STATUS RESTARTS AGE dex-655d4cfd66-xhkxb 1/1 Running 0 1m
Troubleshooting
The pod status is 'CrashLoopBackOff'.
Most likely the password hash is malformed. Looking at its logs you should see:
error parse config file /etc/dex/cfg/config.yaml: error unmarshaling JSON: malformed bcrypt hash: crypto/bcrypt: hashedSecret too short to be a bcrypted password
Make sure the hash generated in first step is also the one in the ConfigMap patch.
What's Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.