From fe1c92f7023782f4507f15f03f0acfe28985dfe4 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Thu, 19 Feb 2026 19:35:26 -0800 Subject: [PATCH] Switch Dex from static passwords to Forgejo OAuth2 connector Users authenticate via Forgejo at forge.ops.eblu.me instead of a hardcoded password list. This makes user management scale through Forgejo's existing account system and enables future collaborator onboarding via Forgejo accounts. Co-Authored-By: Claude Opus 4.6 --- argocd/manifests/dex/external-secret.yaml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/argocd/manifests/dex/external-secret.yaml b/argocd/manifests/dex/external-secret.yaml index 432e9d3..e654e77 100644 --- a/argocd/manifests/dex/external-secret.yaml +++ b/argocd/manifests/dex/external-secret.yaml @@ -24,12 +24,15 @@ spec: http: 0.0.0.0:5556 oauth2: skipApprovalScreen: true - enablePasswordDB: true - staticPasswords: - - email: "blume.erich@gmail.com" - hash: "{{ .staticPasswordHash }}" - username: "eblume" - userID: "eblume-001" + connectors: + - type: gitea + id: forgejo + name: Forgejo + config: + baseURL: https://forge.ops.eblu.me + clientID: "{{ .forgejoClientID }}" + clientSecret: "{{ .forgejoClientSecret }}" + redirectURI: https://dex.ops.eblu.me/callback staticClients: - id: grafana name: Grafana @@ -38,10 +41,14 @@ spec: - "https://grafana.ops.eblu.me/login/generic_oauth" - "https://grafana.tail8d86e.ts.net/login/generic_oauth" data: - - secretKey: staticPasswordHash + - secretKey: forgejoClientID remoteRef: key: "Dex (blumeops)" - property: static-password-hash + property: forgejo-client-id + - secretKey: forgejoClientSecret + remoteRef: + key: "Dex (blumeops)" + property: forgejo-client-secret - secretKey: grafanaClientSecret remoteRef: key: "Dex (blumeops)"