Add Static Users in Dex¶
If you are using Dex as an OIDC provider, and have it configured to use static users, this section will guide you through adding new users.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- A working Rok or Kubeflow deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the email of the new user:
root@rok-tools:~/ops/deployments# export EMAIL=<EMAIL>Replace
<EMAIL>
with the email of the user you want to add. This will be used by the end-user when logging in. For example:root@rok-tools:~/ops/deployments# export EMAIL=user@example.comSpecify the username for the new user:
root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>Replace
<USERNAME>
with the username of the user you want to add. This should be unique since it will be used for creating the Kubernetes namespace for this user. For example:root@rok-tools:~/ops/deployments# export USERNAME=userChoose a password and hash it:
root@rok-tools:~/ops/deployments# export HASH=$(python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))') Password:Generate a user ID:
root@rok-tools:~/ops/deployments# export USERID=$(cat /proc/sys/kernel/random/uuid)Generate the
staticPasswords
entry for the new user. Copy the output to your clipboard, as you are going to use it in the next step.root@rok-tools:~/ops/deployments# cat <<EOF > - email: ${EMAIL?} > hash: ${HASH?} > username: ${USERNAME?} > userID: ${USERID?} > EOF - email: user@example.com hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO username: user userID: d28802d7-97a4-4e49-b67d-80c56fcaf530Edit
kubeflow/manifests/common/dex/overlays/deploy/patches/config-map.yaml
and add the previously generated entry to thestaticPasswords
field.staticPasswords: ... - email: user@example.com hash: $2y$12$LXwF5gk43JunEM02OKWevuyyo0GPwZaD4WobTv0yahDZzN8IAFykO username: user userID: d28802d7-97a4-4e49-b67d-80c56fcaf530Commit the changes:
root@rok-tools:~/ops/deployments# git commit -am "Add static user ${USERNAME?} in Dex"Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/dex/overlays/deployRestart Dex for the changes to take effect:
root@rok-tools:~/ops/deployments# kubectl delete pods -n auth -l app=dex
Verify¶
Verify that Dex is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:
root@rok-tools:~/ops/deployments (develop)# kubectl get pods -n auth NAME READY STATUS RESTARTS AGE dex-655d4cfd66-xhkxb 1/1 Running 0 1mTroubleshooting
The pod status is ‘CrashLoopBackOff’.
Most likely the password hash is malformed. Looking at its logs you should see:
error parse config file /etc/dex/cfg/config.yaml: error unmarshaling JSON: malformed bcrypt hash: crypto/bcrypt: hashedSecret too short to be a bcrypted passwordMake sure the hash generated in first step is also the one in the ConfigMap patch.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.