eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/apps
History
Erich Blume 0cdc143227 Deploy Dex OIDC identity provider with Grafana SSO (#222) 
## Summary
- Deploys Dex OIDC identity provider on ringtail k3s cluster as central authentication service
- Integrates Grafana as first SSO client via `auth.generic_oauth`
- Uses Kubernetes CRD storage backend (no PVC needed)
- All secrets (bcrypt hash, client secrets) injected via ExternalSecrets from 1Password item "Dex (blumeops)"
- NixOS-built container image via `containers/dex/default.nix`

## Pre-requisites (manual, before deployment)
1. Create 1Password item "Dex (blumeops)" in `blumeops` vault with fields:
   - `password`: strong generated password for Dex login
   - `static-password-hash`: bcrypt hash of above (`htpasswd -BnC 10 eblume`, copy hash after `eblume:`)
   - `grafana-client-secret`: random 32-char hex (`openssl rand -hex 16`)
2. Build container: `mise run container-tag-and-release dex v1.0.0`

## Deployment sequence
1. Build container: `mise run container-tag-and-release dex v1.0.0`
2. Deploy Caddy: `mise run provision-indri -- --tags caddy`
3. Sync ArgoCD: `argocd app sync apps` → `argocd app sync dex`
4. Verify Dex: `curl https://dex.ops.eblu.me/.well-known/openid-configuration`
5. Sync Grafana: `argocd app sync grafana-config` → `argocd app sync grafana`
6. Test SSO: Visit `https://grafana.ops.eblu.me/login`, click "Sign in with Dex"

## Verification
- [ ] Container image exists: `mise run container-list` shows `dex:v1.0.0-nix`
- [ ] `curl https://dex.ops.eblu.me/.well-known/openid-configuration` returns valid OIDC discovery
- [ ] `curl https://dex.ops.eblu.me/healthz` returns healthy
- [ ] Grafana login shows "Sign in with Dex" button alongside local login
- [ ] OIDC flow: click Dex → enter credentials → redirect back → logged in as Admin
- [ ] Break-glass: local admin login still works
- [ ] `mise run services-check` passes

## Files changed
| File | Action | Purpose |
|------|--------|---------|
| `containers/dex/default.nix` | Create | NixOS container build |
| `argocd/apps/dex.yaml` | Create | ArgoCD app targeting ringtail |
| `argocd/manifests/dex/*` (8 files) | Create | K8s manifests (RBAC, ExternalSecret, Deployment, Service, Ingress) |
| `argocd/manifests/grafana-config/external-secret-dex-oauth.yaml` | Create | Grafana OIDC client secret |
| `argocd/manifests/grafana-config/kustomization.yaml` | Modify | Add new ExternalSecret resource |
| `argocd/manifests/grafana/values.yaml` | Modify | Add `auth.generic_oauth` config + envFromSecrets |
| `ansible/roles/caddy/defaults/main.yml` | Modify | Add `dex.ops.eblu.me` reverse proxy entry |
| `docs/changelog.d/feature-dex-oidc.feature.md` | Create | Changelog fragment |

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/222
2026-02-19 20:24:24 -08:00
..
1password-connect-ringtail.yaml Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209) 2026-02-18 21:15:30 -08:00
1password-connect.yaml Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
alloy-k8s.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
apps.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
argocd.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
blumeops-pg.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
cloudnative-pg.yaml Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
cv.yaml Add CV/resume web app at cv.ops.eblu.me (#169) 2026-02-12 11:09:41 -08:00
devpi.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
dex.yaml Deploy Dex OIDC identity provider with Grafana SSO (#222) 2026-02-19 20:24:24 -08:00
docs.yaml Phase 1b: Deploy docs hosting with Quartz (#85) 2026-02-03 10:52:20 -08:00
external-secrets-config-ringtail.yaml Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209) 2026-02-18 21:15:30 -08:00
external-secrets-config.yaml Add External Secrets Operator with 1Password Connect (#66) (#66) 2026-01-28 19:30:10 -08:00
external-secrets-crds-ringtail.yaml Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209) 2026-02-18 21:15:30 -08:00
external-secrets-crds.yaml Update External Secrets Helm chart 1.3.1 → 2.0.0 (#203) 2026-02-17 10:43:21 -08:00
external-secrets-ringtail.yaml Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209) 2026-02-18 21:15:30 -08:00
external-secrets.yaml Update External Secrets Helm chart 1.3.1 → 2.0.0 (#203) 2026-02-17 10:43:21 -08:00
forgejo-runner.yaml Migrate Forgejo runner to Kubernetes with DinD (#60) 2026-01-25 19:56:17 -08:00
frigate.yaml Port Frigate NVR to ringtail k3s with GPU acceleration (#217) 2026-02-19 14:27:04 -08:00
grafana-config.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
grafana.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
homepage.yaml Replace Homepage Helm chart with kustomize manifests and custom Dockerfile (#221) 2026-02-19 18:29:19 -08:00
immich-storage.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
immich.yaml Fix ArgoCD sync drift for apps and immich (#71) 2026-01-29 10:24:26 -08:00
kiwix.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
kube-state-metrics.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
loki.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
miniflux.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
mqtt.yaml Port Mosquitto and ntfy to ringtail k3s, retire Apple Silicon Detector (#216) 2026-02-19 11:22:44 -08:00
navidrome.yaml Add Navidrome music streaming server (#79) 2026-01-31 20:19:31 -08:00
ntfy.yaml Port Mosquitto and ntfy to ringtail k3s, retire Apple Silicon Detector (#216) 2026-02-19 11:22:44 -08:00
nvidia-device-plugin.yaml Port Frigate NVR to ringtail k3s with GPU acceleration (#217) 2026-02-19 14:27:04 -08:00
prometheus.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
tailscale-operator-ringtail.yaml Deploy Tailscale operator on ringtail k3s cluster (#215) 2026-02-19 09:33:05 -08:00
tailscale-operator.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
teslamate.yaml Doc review: connect-to-postgres, create-release-artifact-workflow, deploy-k8s-service (#191) 2026-02-15 07:42:01 -08:00
torrent.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00