feat(grafana): consolidate OIDC behind ArgoCD's Dex (#23)

xnoto · web-flow · commit f7297c971158 · 2026-04-29T22:28:50.000-06:00
## Summary Move Grafana off its built-in GitHub OAuth onto ArgoCD's embedded Dex, matching Headlamp's pattern. One Dex, one GitHub OAuth app, one team→role mapping in one place. Drops a separately-registered GitHub OAuth App (clientID \`Ov23liI2Cr1ur3xnZdlj\`) — that one can be removed from github.com/organizations/makeitworkcloud/settings/applications/ at your convenience. ## Changes - **\`bootstrap/argocd-config.yaml\`** — register \`grafana\` as a Dex static client. \`redirectURIs: [https://grafana.makeitwork.cloud/login/generic_oauth]\`. - **\`bootstrap/secrets/github-oauth-secret.yaml\`** — add sops-encrypted \`dex.grafana.clientSecret\` to argocd-secret. - **\`workloads/grafana/grafana.yaml\`** — replace the \`GF_AUTH_GITHUB_*\` env block with \`GF_AUTH_GENERIC_OAUTH_*\` pointing at \`https://argocd.makeitwork.cloud/api/dex/{auth,token,userinfo}\`. Update \`ROLE_ATTRIBUTE_PATH\` to match Dex's \`makeitworkcloud:admins\` group format (was GitHub's \`@makeitworkcloud/admins\`). - **\`workloads/grafana/grafana-oidc-secret.yaml\`** — new Secret \`grafana-oidc\` (sops-encrypted) with the matching \`GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana\` + \`CLIENT_SECRET\`. Old \`grafana-github-oauth-secret.yaml\` deleted; \`ksops-grafana-secrets.yaml\` updated. - **\`.sops.yaml\`** — generalize the regex from \`GF_AUTH_GITHUB_CLIENT_SECRET\` to \`GF_AUTH_(GITHUB|GENERIC_OAUTH)_CLIENT_SECRET\`. ## Test plan - [ ] After merge: \`kubectl -n argocd get cm argocd-cm -o jsonpath='{.data.dex\\.config}'\` shows the new \`grafana\` static client - [x] After merge: \`kubectl -n grafana get secret grafana-oidc\` populated with both keys - [x] After merge: visiting \`https://grafana.makeitwork.cloud\` redirects to ArgoCD's GitHub-OAuth-via-Dex flow and lands on the dashboard with Admin / Viewer role per team membership - [x] After merge: revoke the standalone "Grafana" GitHub OAuth App at github.com/organizations/makeitworkcloud/settings/applications/ 🤖 Generated with [Claude Code](https://claude.com/claude-code)
diff --git a/.sops.yaml b/.sops.yaml
@@ -2,7 +2,7 @@
 creation_rules:
   # Default: encrypt only common secret fields
   - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
-    encrypted_regex: '^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret|OIDC_CLIENT_(ID|SECRET))$'
+    encrypted_regex: '^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_(GITHUB|GENERIC_OAUTH)_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret|OIDC_CLIENT_(ID|SECRET))$'
 
   # For Cloudflare credentials JSON (special case - entire value is secret)
   - path_regex: cloudflared-credentials-secret\.yaml$
diff --git a/bootstrap/argocd-config.yaml b/bootstrap/argocd-config.yaml
@@ -117,6 +117,13 @@ spec:
             secret: $dex.headlamp.clientSecret
             redirectURIs:
               - https://headlamp.makeitwork.cloud/oidc-callback
+          # Grafana uses Dex via GF_AUTH_GENERIC_OAUTH_*, replacing its
+          # built-in GitHub OAuth so all cluster apps share one IdP.
+          - id: grafana
+            name: Grafana
+            secret: $dex.grafana.clientSecret
+            redirectURIs:
+              - https://grafana.makeitwork.cloud/login/generic_oauth
   # RBAC with GitHub team mapping
   rbac:
     defaultPolicy: ''
diff --git a/bootstrap/secrets/github-oauth-secret.yaml b/bootstrap/secrets/github-oauth-secret.yaml
@@ -15,6 +15,7 @@ stringData:
     dex.github.clientID: ENC[AES256_GCM,data:zPuSme7WNDyFt7bpeqtPy+tZyHU=,iv:mj2QOgHFdUFNNb4zm37MDQQ43FTQtx49Hg9w4k1XEEA=,tag:vWXANlK+Z/LZI3jwaYUhmw==,type:str]
     dex.github.clientSecret: ENC[AES256_GCM,data:g53ok+zuNccR47ngruY9HsXRO0JbGazW32MMduvfaim2QBKs03ATCg==,iv:QqaXEDFwKpaEC1Evdaj4j1jmJzbXpevMcYXxqLF1o8U=,tag:sAQU431fwCQH3vAYOm9O1Q==,type:str]
     dex.headlamp.clientSecret: ENC[AES256_GCM,data:iO6N04zWyzvaHcs8Bd2fIaYayDAHPonQM/0CI8wXynrH0nklrQpTBuFgCarJ5/iUbGKWKQsECEAH/yzTmqCNIg==,iv:eDlO8C0OJFSnp0d90Qgj2hJqCaa74Fw58dB/VNhFvZg=,tag:GcZdcjnSOab+LWfXgGb3lw==,type:str]
+    dex.grafana.clientSecret: ENC[AES256_GCM,data:W83Zy4wsbNIUza47swtVAYjYbMiVSbLiPyBjEAj3cBHafRv4LMDtXCe/U9UWvyqMnsVdcXqsmE2FflDGQLBDcQ==,iv:nmsgCR7D35Tya0DRJZUMPtPEkElRJeqInzk4N2yMgP8=,tag:srmM2rscemUDOUjaz/fqhQ==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
@@ -26,7 +27,7 @@ sops:
             T2dvNlRjNE1lNFVHWnJWNTA2Z2M5STgKUX9gEItGx811Wsq/GjUwe+pxyi9lt5gY
             uqKM/eXkZyz9S3HqinAhw5xiPEBokqmNcpaOHtHNgpgkhJY9YFCllQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T03:57:26Z"
-    mac: ENC[AES256_GCM,data:4iLUEDeiW+3mi4xMQPWHt3CM9f21u7cHDHkvKD58Q6fjaNVC1Flu7bdplgVZhCNqdBO9M0RbLB+X6Fu5miA2r5hKFoE1zQnQarPOurnw0R7Kf6qyLtNt9qWTkFqxjtcV6KhSx4ykSwue/9zY6/A1+SdxlIR5PhgRPT87M8vBl10=,iv:H1UB7A6yu7YV14/TtOaMhFBmoW11b8XoID7IKVMEghE=,tag:/eKksCPmLoRp69zIOtzJkA==,type:str]
+    lastmodified: "2026-04-30T04:26:32Z"
+    mac: ENC[AES256_GCM,data:NJvT2fUOM2YXni/Di/DJv0hnKOO65sqRnU2jfI1Dur4M2HWjnJTRJTehb4UVbc1GvkLwVCi80inWmheoW3eWjfwDRR74VHKWXQBEG50fDk6AfZMrugH1c71FjbhEzkk33VYIwMn0B2OOyeH06TceXQ6pRAzVfv6nG5zZ9hpo5d4=,iv:DH9adVlZBl99Oj2KGjkEUUfPCmyohyIJ5t6OTnWNQD8=,tag:PqDm8YllKQHS7utXKLI/Iw==,type:str]
     encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret)$
     version: 3.12.2
diff --git a/workloads/grafana/grafana-github-oauth-secret.yaml b/workloads/grafana/grafana-github-oauth-secret.yaml
diff --git a/workloads/grafana/grafana-oidc-secret.yaml b/workloads/grafana/grafana-oidc-secret.yaml
@@ -0,0 +1,27 @@
+# OAuth credentials Grafana uses against ArgoCD Dex (id: grafana).
+# clientSecret matches dex.grafana.clientSecret in argocd-secret.
+apiVersion: v1
+kind: Secret
+metadata:
+    name: grafana-oidc
+    namespace: grafana
+    annotations:
+        argocd.argoproj.io/sync-wave: "0"
+stringData:
+    GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
+    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:x0SqnOkBxlV6b6LSta/bh/49Y349iVn8oLbim97K8VuEvxAElE/5acX0ry3A4PcHGssqEY2c/86wxWkOsix4UA==,iv:z0c+Ktf2ZvegbupTjdVIfowAA4//aknWHDyY2douRQ0=,tag:Bm83Gs7+MITxnp1XPaWeQw==,type:str]
+sops:
+    age:
+        - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0T0VIVlAxRXNxNFpKZHFO
+            ajR1U1hNUFB5VExGWVd0clFiRWxvVXVnN3dZCkpwSndGZE9IUUJ6K0I1Qmg4cjRi
+            dDN4ZUpqUXVKdWR2TXhucUdBMEkxUzgKLS0tIHc4dWdnSDZrTlNVZGljdkkyMnd1
+            cXFvaG4wOVRXYmczVVZrWmtCR1VsTUkK1+6S5QMqOa4CiQu5PXRM4QaXh/Vi129l
+            4hTVPzC8RQXxyX09csXUQ/VEgiPJMeruqTIsT/waQlIlYhOQgN3hlw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-30T04:27:28Z"
+    mac: ENC[AES256_GCM,data:psMmpT0VUufD/qgAuVS1IzLhDmBhObZqeVLUZZhvTPsE6mRP1FJckXgf9+7j16pVO2V5PJMx/rgOieQLvs57vW5VOq0A+7j3BLLwjpuHqXuMwbl6hsviOX7TqN45L318QlSVdGHgPB8BKqtJ7Zirz0RYNug1582E4QPXqrX7rQ0=,iv:f9GKrvv5moW+oKrO7N/3o4aDMnkuwUrqrhrEicYpXP4=,tag:m5JDOY0Sn720t6EnJzKO6Q==,type:str]
+    encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_(GITHUB|GENERIC_OAUTH)_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret|OIDC_CLIENT_(ID|SECRET))$
+    version: 3.12.2
diff --git a/workloads/grafana/grafana.yaml b/workloads/grafana/grafana.yaml
@@ -33,37 +33,39 @@ spec:
                     secretKeyRef:
                       name: grafana-admin-password
                       key: GF_SECURITY_ADMIN_PASSWORD
-                # GitHub OAuth
-                - name: GF_AUTH_GITHUB_ENABLED
+                # OIDC via ArgoCD's embedded Dex (Dex bridges to GitHub).
+                - name: GF_AUTH_GENERIC_OAUTH_ENABLED
                   value: "true"
-                - name: GF_AUTH_GITHUB_ALLOW_SIGN_UP
+                - name: GF_AUTH_GENERIC_OAUTH_NAME
+                  value: "GitHub"
+                - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
                   value: "true"
-                - name: GF_AUTH_GITHUB_AUTO_LOGIN
+                - name: GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN
                   value: "true"
                 - name: GF_AUTH_DISABLE_LOGIN_FORM
                   value: "true"
-                - name: GF_AUTH_GITHUB_CLIENT_ID
+                - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-github-oauth
-                      key: GF_AUTH_GITHUB_CLIENT_ID
-                - name: GF_AUTH_GITHUB_CLIENT_SECRET
+                      name: grafana-oidc
+                      key: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+                - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-github-oauth
-                      key: GF_AUTH_GITHUB_CLIENT_SECRET
-                - name: GF_AUTH_GITHUB_SCOPES
-                  value: "user:email,read:org"
-                - name: GF_AUTH_GITHUB_AUTH_URL
-                  value: "https://github.com/login/oauth/authorize"
-                - name: GF_AUTH_GITHUB_TOKEN_URL
-                  value: "https://github.com/login/oauth/access_token"
-                - name: GF_AUTH_GITHUB_API_URL
-                  value: "https://api.github.com/user"
-                - name: GF_AUTH_GITHUB_ALLOWED_ORGANIZATIONS
-                  value: "makeitworkcloud"
-                - name: GF_AUTH_GITHUB_ROLE_ATTRIBUTE_PATH
-                  value: "contains(groups[*], '@makeitworkcloud/admins') && 'Admin' || contains(groups[*], '@makeitworkcloud/developers') && 'Viewer' || 'Viewer'"
+                      name: grafana-oidc
+                      key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+                - name: GF_AUTH_GENERIC_OAUTH_SCOPES
+                  value: "openid profile email groups"
+                - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
+                  value: "https://argocd.makeitwork.cloud/api/dex/auth"
+                - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
+                  value: "https://argocd.makeitwork.cloud/api/dex/token"
+                - name: GF_AUTH_GENERIC_OAUTH_API_URL
+                  value: "https://argocd.makeitwork.cloud/api/dex/userinfo"
+                # Dex emits groups as `org:team` (from the GitHub connector's
+                # teamNameField: slug); map those to Grafana roles.
+                - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
+                  value: "contains(groups[*], 'makeitworkcloud:admins') && 'Admin' || contains(groups[*], 'makeitworkcloud:developers') && 'Viewer' || 'Viewer'"
   persistentVolumeClaim:
     spec:
       accessModes:
diff --git a/workloads/grafana/ksops-grafana-secrets.yaml b/workloads/grafana/ksops-grafana-secrets.yaml
@@ -8,6 +8,6 @@ metadata:
         path: ksops
 files:
   - grafana-admin-secret.yaml
-  - grafana-github-oauth-secret.yaml
+  - grafana-oidc-secret.yaml
   - tor-proxy-key-secret.yaml
   - status-tor-proxy-key-secret.yaml
