Switch Dex from static passwords to Forgejo OAuth2 connector

Users authenticate via Forgejo at forge.ops.eblu.me instead of a hardcoded password list. This makes user management scale through Forgejo's existing account system and enables future collaborator onboarding via Forgejo accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 19:35:26 -08:00 · 2026-02-19 19:35:26 -08:00 · fe1c92f702
commit fe1c92f702
parent 8765ee8706
1 changed files with 15 additions and 8 deletions
--- a/argocd/manifests/dex/external-secret.yaml
+++ b/argocd/manifests/dex/external-secret.yaml
@ -24,12 +24,15 @@ spec:
            http: 0.0.0.0:5556
          oauth2:
            skipApprovalScreen: true
-          enablePasswordDB: true
-          staticPasswords:
-            - email: "blume.erich@gmail.com"
-              hash: "{{ .staticPasswordHash }}"
-              username: "eblume"
-              userID: "eblume-001"
+          connectors:
+            - type: gitea
+              id: forgejo
+              name: Forgejo
+              config:
+                baseURL: https://forge.ops.eblu.me
+                clientID: "{{ .forgejoClientID }}"
+                clientSecret: "{{ .forgejoClientSecret }}"
+                redirectURI: https://dex.ops.eblu.me/callback
          staticClients:
            - id: grafana
              name: Grafana
@ -38,10 +41,14 @@ spec:
                - "https://grafana.ops.eblu.me/login/generic_oauth"
                - "https://grafana.tail8d86e.ts.net/login/generic_oauth"
  data:
-    - secretKey: staticPasswordHash
+    - secretKey: forgejoClientID
      remoteRef:
        key: "Dex (blumeops)"
-        property: static-password-hash
+        property: forgejo-client-id
+    - secretKey: forgejoClientSecret
+      remoteRef:
+        key: "Dex (blumeops)"
+        property: forgejo-client-secret
    - secretKey: grafanaClientSecret
      remoteRef:
        key: "Dex (blumeops)"