Skip to content

feat(grafana): consolidate OIDC behind ArgoCD's Dex#23

Merged
xnoto merged 1 commit intomainfrom
feat/grafana-via-dex
Apr 30, 2026
Merged

feat(grafana): consolidate OIDC behind ArgoCD's Dex#23
xnoto merged 1 commit intomainfrom
feat/grafana-via-dex

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Move Grafana off its built-in GitHub OAuth onto ArgoCD's embedded Dex, matching Headlamp's pattern. One Dex, one GitHub OAuth app, one team→role mapping in one place. Drops a separately-registered GitHub OAuth App (clientID `Ov23liI2Cr1ur3xnZdlj`) — that one can be removed from github.com/organizations/makeitworkcloud/settings/applications/ at your convenience.

Changes

  • `bootstrap/argocd-config.yaml` — register `grafana` as a Dex static client. `redirectURIs: [https://grafana.makeitwork.cloud/login/generic_oauth]`.
  • `bootstrap/secrets/github-oauth-secret.yaml` — add sops-encrypted `dex.grafana.clientSecret` to argocd-secret.
  • `workloads/grafana/grafana.yaml` — replace the `GF_AUTH_GITHUB_` env block with `GF_AUTH_GENERIC_OAUTH_` pointing at `https://argocd.makeitwork.cloud/api/dex/{auth,token,userinfo}\`. Update `ROLE_ATTRIBUTE_PATH` to match Dex's `makeitworkcloud:admins` group format (was GitHub's `@makeitworkcloud/admins`).
  • `workloads/grafana/grafana-oidc-secret.yaml` — new Secret `grafana-oidc` (sops-encrypted) with the matching `GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana` + `CLIENT_SECRET`. Old `grafana-github-oauth-secret.yaml` deleted; `ksops-grafana-secrets.yaml` updated.
  • `.sops.yaml` — generalize the regex from `GF_AUTH_GITHUB_CLIENT_SECRET` to `GF_AUTH_(GITHUB|GENERIC_OAUTH)_CLIENT_SECRET`.

Test plan

  • After merge: `kubectl -n argocd get cm argocd-cm -o jsonpath='{.data.dex\.config}'` shows the new `grafana` static client
  • After merge: `kubectl -n grafana get secret grafana-oidc` populated with both keys
  • After merge: visiting `https://grafana.makeitwork.cloud\` redirects to ArgoCD's GitHub-OAuth-via-Dex flow and lands on the dashboard with Admin / Viewer role per team membership
  • After merge: revoke the standalone "Grafana" GitHub OAuth App at github.com/organizations/makeitworkcloud/settings/applications/

🤖 Generated with Claude Code

@xnoto
feat(grafana): consolidate OIDC behind ArgoCD's Dex
8e57c6d 
Replace Grafana's built-in GitHub OAuth (GF_AUTH_GITHUB_*) with the
generic OIDC client (GF_AUTH_GENERIC_OAUTH_*) pointing at
https://argocd.makeitwork.cloud/api/dex. Same pattern Headlamp uses —
one Dex, one GitHub OAuth app, one team→role mapping path.

bootstrap/argocd-config.yaml — register `grafana` as a Dex static
client with redirectURI https://grafana.makeitwork.cloud/login/generic_oauth.

bootstrap/secrets/github-oauth-secret.yaml — add encrypted
dex.grafana.clientSecret to argocd-secret.

workloads/grafana/grafana.yaml — swap the GitHub OAuth env block for
GF_AUTH_GENERIC_OAUTH_* against Dex's auth/token/userinfo URLs. Update
ROLE_ATTRIBUTE_PATH to match Dex's `org:team` group format (was the
GitHub-API-shaped `@org/team`).

workloads/grafana/grafana-oidc-secret.yaml — new sops-encrypted Secret
named `grafana-oidc` with GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana and
the matching CLIENT_SECRET. Replaces the old `grafana-github-oauth`
Secret which is deleted.

.sops.yaml — extend encrypted_regex to also cover
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
@xnoto xnoto self-assigned this Apr 30, 2026
@xnoto xnoto merged commit f7297c9 into main Apr 30, 2026
2 checks passed
@xnoto xnoto deleted the feat/grafana-via-dex branch April 30, 2026 04:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xnoto xnoto

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto