From ae26ec6a4229236a2dea069606d4d910a7400c33 Mon Sep 17 00:00:00 2001
From: Daniel Sy <Daniel.Sy@telekom.de>
Date: Wed, 13 Aug 2025 14:21:29 +0200
Subject: [PATCH] =?UTF-8?q?fix(auth):=20=F0=9F=94=92=EF=B8=8F=20Update=20O?=
 =?UTF-8?q?Auth=20client=20secret=20and=20configurations?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update the OAuth client secret for Grafana and add new configurations for generic OAuth authentication.

These changes enhance security and streamline the authentication process for Grafana by enabling OAuth with specific settings.
---
 .../stacks/core/dex/values.yaml                |  2 +-
 .../grafana-operator/manifests/grafana.yaml    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/otc/observability.t09.de/stacks/core/dex/values.yaml b/otc/observability.t09.de/stacks/core/dex/values.yaml
index 435a7d6..d552b8a 100644
--- a/otc/observability.t09.de/stacks/core/dex/values.yaml
+++ b/otc/observability.t09.de/stacks/core/dex/values.yaml
@@ -68,4 +68,4 @@ config:
       redirectURIs:
         - "https://grafana.observability.t09.de/login/generic_oauth"
       name: "Grafana"
-      secret: "{{`{{ .Env.OIDC_DEX_GRAFANA_CLIENT_SECRET }}`}}"
+      secret: "thisisasecret"
diff --git a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
index 0de9c4f..3815699 100644
--- a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -39,3 +39,21 @@ spec:
       - hosts:
         - grafana.observability.t09.de
         secretName: grafana-net-tls
+  config:
+    auth:
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Forgejo
+      allow_sign_up: false
+      use_refresh_token: true
+      client_id: grafana
+      client_secret: "thisisasecret" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
+      scopes: openid email profile offline_access roles
+      auth_url: https://dex.observability.t09.de/auth
+      token_url: https://dex.observability.t09.de/token
+      api_url: https://dex.observability.t09.de/userinfo
+      redirect_uri: https://grafana.observability.t09.de/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
+