Set Up Users for Rok¶
Rok authenticates users using OIDC. We use Dex as our default OIDC Provider and AuthService as our OIDC Client (authenticating proxy). This guide will walk you through setting up authentication for Rok, using Dex and the AuthService.
More specifically you will need to
- Change password for the default user.
- Change credentials for the OIDC client.
Important
If you are planning to integrate Rok with another OIDC Provider other than Dex, e.g., GitLab, you will need to edit your installation after completing it with Dex. To do so, follow the Identity Providers (OIDC) guide.
Fast Forward
If you have already set up the default user for Rok, expand this box to fast-forward.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsSet the hash of the default user’s password:
root@rok-tools:~/ops/deployments# export DEX_DEFAULT_USER_PWHASH=$(cat kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml | \ > grep hash | cut -d : -f2- | xargs)Set the OIDC Client ID:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=$(cat kubeflow/manifests/common/dex/overlays/deploy/secret_params.env | \ > grep OIDC_CLIENT_ID | cut -d = -f2-)Set the OIDC Client secret:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=$(cat kubeflow/manifests/common/dex/overlays/deploy/secret_params.env | \ > grep OIDC_CLIENT_SECRET | cut -d = -f2-)Save your state:
root@rok-tools:~/ops/deployments# rok-j2 deploy/env.users.j2 -o deploy/env.usersCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Set Up Users for Rok"Proceed to the Verify section.
Choose one of the following options to set up users for Rok:
Air Gapped
Follow Option 2 and proceed with the manual installation.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
Option 1: Set Up Users Automatically (preferred)¶
Set up users for Rok by following the on-screen instructions on the
rok-deploy
user interface.
If rok-deploy
is not already running, start it with:
Proceed to the Summary section.
Option 2: Set Up Users Manually¶
If you want to set up users for Rok manually, follow the instructions below.
Procedure¶
The default installation of Dex comes with a single static user. To change the default user password or create new users, you have to modify the Dex ConfigMap.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsPick a password for the default user and hash it using
bcrypt
:root@rok-tools:~/ops/deployments# export DEX_DEFAULT_USER_PWHASH=$(python3 -c \ > 'from passlib.hash import bcrypt; import getpass; \ > print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))')Configure Dex to use the password you specified in the previous step for the default user with handle
user@example.com
:root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml.j2 \ > -o kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yamlGenerate OIDC Client credentials for the AuthService:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID="authservice"root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET="$(openssl rand -base64 32)"Note
AuthService uses these credentials to authenticate with Dex.
Configure AuthService to use the credentials you generated in the previous step:
root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.envSee also
Configure Dex to use the credentials you generated at step 4:
root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/dex/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/dex/overlays/deploy/secret_params.envSee also
Save your state:
root@rok-tools:~/ops/deployments# rok-j2 deploy/env.users.j2 -o deploy/env.usersCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Set Up Users for Rok"Mark your progress:
root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.5/users \ > -m "Set Up Users for Rok"
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.users)root@rok-tools:~/ops/deployments# export DEX_DEFAULT_USER_PWHASH \ > OIDC_CLIENT_ID OIDC_CLIENT_SECRETCalculate the hash of the OIDC client credentials:
root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID_BASE64=$(echo -n \ > ${OIDC_CLIENT_ID?} | base64)root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET_BASE64=$(echo -n \ > ${OIDC_CLIENT_SECRET?} | base64)Verify you have properly configured the password for the default user in Dex:
root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy | \ > grep -q "hash: ${DEX_DEFAULT_USER_PWHASH?}" && echo OK OKVerify you have properly configured the OIDC client credentials for Dex:
root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy | \ > grep -q "OIDC_CLIENT_ID: ${OIDC_CLIENT_ID_BASE64?}" && echo OK OKroot@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/dex/overlays/deploy | \ > grep -q "OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET_BASE64?}" && echo OK OKVerify you have properly configured the OIDC client credentials for AuthService:
root@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy | \ > grep -q "CLIENT_ID: ${OIDC_CLIENT_ID_BASE64?}" && echo OK OKroot@rok-tools:~/ops/deployments# kustomize build \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy | \ > grep -q "CLIENT_SECRET: ${OIDC_CLIENT_SECRET_BASE64?}" && echo OK OK