Skip to content

Comments

feat(infra): Grafana Google SSO#327

Merged
xDarksome merged 3 commits intomainfrom
feat/grafana-google-sso
Feb 6, 2026
Merged

feat(infra): Grafana Google SSO#327
xDarksome merged 3 commits intomainfrom
feat/grafana-google-sso

Conversation

@xDarksome
Copy link
Member

@xDarksome xDarksome commented Feb 6, 2026

Description

Enables Google SSO for both testnet and mainnet Grafanas

How Has This Been Tested?

Manually

Due Diligence

  • Breaking change
  • Requires a documentation update
  • Requires a e2e/integration test update

Copilot AI review requested due to automatic review settings February 6, 2026 15:16
@claude
Copy link

claude bot commented Feb 6, 2026
edited
Loading

Claude finished @xDarksome's task in 56s —— View job

Code Review Complete

Reviewed PR #327: Grafana Google SSO implementation

Issues Found

Issue 1: External Domain URLs Detected (Non-blocking)

🔒 External Domain URL Detected (Non-blocking)
URLs:

  • https://accounts.google.com/o/oauth2/v2/auth
  • https://oauth2.googleapis.com/token
  • https://openidconnect.googleapis.com/v1/userinfo

File: infra/modules/node-operator/main.tf:385-387

This change introduces URLs pointing to Google OAuth endpoints. While these are necessary for Google SSO functionality, verify that:

  1. These external dependencies are intentional and approved
  2. There are no security, privacy, or compliance implications for your infrastructure
  3. Network policies allow outbound connections to Google OAuth services

Issue 2: OAuth Client ID Stored Unencrypted

File: infra/mainnet/sops/eu.wallet-connect.json:12
File: infra/testnet/sops/wallet-connect.json:12

OAuth client IDs are marked as _unencrypted and stored in plaintext:

"grafana_oauth_client_id_unencrypted": "476524165225-5iqrtgnqgdbbc39hnnqq71tqbvcn2k6e.apps.googleusercontent.com"

While client IDs are not considered highly sensitive secrets, best practice is to encrypt them in SOPS files for defense-in-depth. Consider:

  1. Encrypting the OAuth client ID like other secrets
  2. If keeping unencrypted is intentional, document why in code comments or security docs

Issue 3: Missing Role-Based Access Control Configuration

File: infra/modules/node-operator/main.tf:381-389

Google SSO is enabled with GF_AUTH_GOOGLE_ALLOW_SIGN_UP = "true", but no role mapping or default role assignment is configured. This means:

  • Any user from walletconnect.com or reown.com domains can sign up
  • All new users get Grafana's default role (typically Viewer)
  • No mechanism to grant admin/editor permissions automatically

Consider adding:

GF_AUTH_GOOGLE_ROLE_ATTRIBUTE_PATH = "contains(email, '@walletconnect.com') && 'Admin' || 'Viewer'"

Or configure explicit role mapping based on your access requirements.

Issue 4: No Sign-Up Restrictions Beyond Domain

File: infra/modules/node-operator/main.tf:381-389

GF_AUTH_GOOGLE_ALLOWED_DOMAINS restricts to company domains, but there's no additional user validation. Consider if you need:

  • Specific email whitelist/group membership via Google Workspace
  • GF_AUTH_GOOGLE_ALLOWED_GROUPS for finer-grained access control
  • Integration with existing identity/access management policies

Summary

Google SSO implementation is functional but has security considerations around access control and secret management. The external Google OAuth endpoints are expected and required for this feature.

Recommended actions:

  1. Review and confirm OAuth client ID storage approach
  2. Add role-based access control configuration
  3. Consider additional sign-up restrictions if needed
  4. Verify network policies allow Google OAuth endpoints

Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enables Google OAuth SSO authentication for Grafana instances in both testnet and mainnet environments. The change adds OAuth configuration to allow users from walletconnect.com and reown.com domains to sign in using their Google accounts, while maintaining the existing admin user authentication method.

Changes:

  • Added Google OAuth credentials and configuration to SOPS files for testnet and mainnet
  • Configured Grafana with Google OAuth environment variables including client ID, allowed domains, and PKCE support
  • Updated secret module to include the new OAuth client secret

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
infra/testnet/sops/wallet-connect.json Added OAuth client credentials and allowed domains for testnet Grafana
infra/mainnet/sops/eu.wallet-connect.json Added OAuth client credentials and allowed domains for mainnet Grafana
infra/modules/node-operator/main.tf Configured Grafana with Google OAuth environment variables and added oauth_client_secret to secret module

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@xDarksome xDarksome requested a review from mario-reown February 6, 2026 15:46
@xDarksome xDarksome merged commit 6564f13 into main Feb 6, 2026
13 checks passed
@xDarksome xDarksome deleted the feat/grafana-google-sso branch February 6, 2026 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mario-reown mario-reown mario-reown approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xDarksome @mario-reown