Configure Rok Registry to Use Dex¶
Rok Registry authenticates users using Dex as the default OIDC Provider. This guide will walk you through configuring Rok Registry to use Dex.
Choose one of the following options to configure authentication:
- Option 1: Configure Rok Registry to Use Dex Automatically (preferred).
- Option 2: Configure Rok Registry to Use Dex Manually.
Air Gapped
Follow Option 2 and proceed with the manual installation.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
Option 1: Configure Rok Registry to Use Dex Automatically (preferred)¶
Rok Registry does not currently support automatic configuration for Dex. Please follow Option 2: Configure Rok Registry to Use Dex Manually to configure Rok Registry to use Dex.
Option 2: Configure Rok Registry to Use Dex Manually¶
If you want to configure Rok Registry to use Dex as an OIDC provider manually, follow the instructions below.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsGenerate OIDC Client credentials for Rok Registry and copy the client secret:
root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_ID="fort"root@rok-tools:~/ops/deployments# export REGISTRY_OIDC_CLIENT_SECRET="$(openssl rand \ > -hex 32)" && echo $REGISTRY_OIDC_CLIENT_SECRET fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225Append the client credentials you generated in the previous step to
kubeflow/manifests/common/dex/overlays/deploy/secret_params.env
:REGISTRY_OIDC_CLIENT_ID=fort REGISTRY_OIDC_CLIENT_SECRET=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225Add a new entry to the
staticClients
field of thekubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml
patch, that looks like the following:staticClients: ... - idEnv: REGISTRY_OIDC_CLIENT_ID redirectURIs: ["/registry/oidc-callback/dex"] name: Fort secretEnv: REGISTRY_OIDC_CLIENT_SECRETEdit the
rok/rok-registry-cluster/overlays/deploy/kustomization.yaml
file and comment out the following line to disable the default local user that comes with Rok Registry:patchesStrategicMerge: ... #- patches/rokregistrycluster-enable-default-user.yaml # <-- Comment this line outCreate the
rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml
patch and add the following to enable authentication via OIDC providers:apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: configVars: fort.auth_methods: socialCreate the
rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml
patch and add the following to configure Rok Registry to use Dex as an OIDC provider:apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: socialProviders: dex: name: Dex type: generic client_id: fort redirect_uri: "/registry/oidc-callback/dex" token_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/token" userinfo_endpoint: "http://dex.auth.svc.cluster.local:5556/dex/userinfo" authorization_endpoint: "/dex/auth" scopes: - profile - email - groups mapping: name: nicknameCreate the
rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials
file and add the client secret you generated in step 2:dex=fa58fdb2cd30719e248ffc44f1bcd31901b1299cd7aa4d7e7868fe59acb22225Create the
rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml
patch and add the following to pass the client secret to the Rok Registry deployment:apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: socialProviderCredentialsSecret: rok-registry-social-provider-credentials-secretCreate the
rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yaml
patch and add the following to allow email symbols (@
,+
,.
) in usernames:apiVersion: crd.arrikto.com/v1alpha1 kind: RokRegistryCluster metadata: name: rok-registry spec: configVars: fort.allow_email_symbols: trueEdit the
rok/rok-registry-cluster/overlays/deploy/kustomization.yaml
file and add the following to combine all the previous patches:secretGenerator: ... - name: rok-registry-social-provider-credentials-secret envs: - secrets/social_provider_credentials type: Opaque ... patchesStrategicMerge: ... - patches/rokregistrycluster-enable-social-provider.yaml - patches/rokregistrycluster-configure-social-provider.yaml - patches/rokregistrycluster-social-provider-credentials-secret.yaml - patches/rokregistrycluster-allow-email-symbols.yamlStage your changes:
root@rok-tools:~/ops/deployments# git add \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-enable-social-provider.yaml \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configure-social-provider.yaml \ > rok/rok-registry-cluster/overlays/deploy/secrets/social_provider_credentials \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-social-provider-credentials-secret.yaml \ > rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-allow-email-symbols.yamlCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Configure Rok Registry to Use Dex"
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsVerify you can build the Dex manifests:
root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deployVerify you can build the Rok Registry manifests:
root@rok-tools:~/ops/deployments# kustomize build \ > rok/rok-registry-cluster/overlays/deployTroubleshooting
no matches for OriginalId
If the above command fails with the following error message:
Error: no matches for OriginalId ~G_~V_RokRegistryCluster|~X|rok-registry; no matches for CurrentId ~G_~V_RokRegistryCluster|~X|rok-registry; failed to find unique target for patch ~G_~V_RokRegistryCluster|rok-registryit means that you have misconfigured the manifests for Rok Registry. Go back to the Procedure and make sure you properly created and edited the necessary manifests.