fix(auth): 🔒️ Update OAuth client secret and configurations

Update the OAuth client secret for Grafana and add new configurations for generic OAuth authentication. These changes enhance security and streamline the authentication process for Grafana by enabling OAuth with specific settings.
2025-08-13 14:21:29 +02:00 · 2025-08-13 14:21:29 +02:00 · ae26ec6a42
commit ae26ec6a42
parent d40a6fb850
2 changed files with 19 additions and 1 deletions
--- a/otc/observability.t09.de/stacks/core/dex/values.yaml
+++ b/otc/observability.t09.de/stacks/core/dex/values.yaml
@ -68,4 +68,4 @@ config:
      redirectURIs:
        - "https://grafana.observability.t09.de/login/generic_oauth"
      name: "Grafana"
-      secret: "{{`{{ .Env.OIDC_DEX_GRAFANA_CLIENT_SECRET }}`}}"
+      secret: "thisisasecret"
--- a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
@ -39,3 +39,21 @@ spec:
      - hosts:
        - grafana.observability.t09.de
        secretName: grafana-net-tls
+  config:
+    auth:
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Forgejo
+      allow_sign_up: false
+      use_refresh_token: true
+      client_id: grafana
+      client_secret: "thisisasecret" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
+      scopes: openid email profile offline_access roles
+      auth_url: https://dex.observability.t09.de/auth
+      token_url: https://dex.observability.t09.de/token
+      api_url: https://dex.observability.t09.de/userinfo
+      redirect_uri: https://grafana.observability.t09.de/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
+