Skip to content

feat(argocd-dex): add headlamp as a static OIDC client#12

Merged
xnoto merged 1 commit intomainfrom
feat/headlamp-dex-client
Apr 30, 2026
Merged

feat(argocd-dex): add headlamp as a static OIDC client#12
xnoto merged 1 commit intomainfrom
feat/headlamp-dex-client

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Register Headlamp as a Dex static client in the ArgoCD CR's `dex.config`. Reuses the existing GitHub OAuth flow that ArgoCD already runs, so we don't need a second Dex install or a second GitHub OAuth app — Dex bridges GitHub OAuth → OIDC, Headlamp consumes the OIDC.

Same wiring will land for Grafana in a small follow-up PR (replacing its built-in `GF_AUTH_GITHUB_` with `GF_AUTH_GENERIC_OAUTH_` pointing at the same Dex), per the consolidation we agreed on.

Changes

  • `bootstrap/argocd-config.yaml` — add a `staticClients` block under `dex.config` registering `id: headlamp`, `name: Headlamp`, `redirectURIs: [https://headlamp.makeitwork.cloud/oidc-callback]`. Secret pulled via `$dex.headlamp.clientSecret` from `argocd-secret`.
  • `bootstrap/secrets/github-oauth-secret.yaml` — add `dex.headlamp.clientSecret` (sops-encrypted via the existing AGE key).
  • `.sops.yaml` — generalize the encrypted_regex from `dex\.github\.client(ID|Secret)` to `dex\.[a-z]+\.client(ID|Secret)` so any future Dex static clients pick up encryption automatically.

Test plan

  • `kustomize build bootstrap/secrets` decrypts the new field cleanly via sops/KSOPS
  • After merge: `kubectl -n argocd get cm argocd-cm -o jsonpath='{.data.dex\.config}'` shows the staticClients block
  • After Headlamp install lands (next PR): GitHub OAuth → ArgoCD Dex → Headlamp callback succeeds and lands on the dashboard with a cluster-scoped session

Pairs with

🤖 Generated with Claude Code

@xnoto
feat(argocd-dex): add headlamp as a static OIDC client
661a752 
Register Headlamp as a Dex static client in the ArgoCD CR's dex.config so
the existing GitHub OAuth flow can be reused for the upcoming Headlamp
dashboard install — same pattern Grafana will move to next.

Adds the client secret to argocd-secret as `dex.headlamp.clientSecret`
(sops-encrypted via the existing AGE key). Generalizes the .sops.yaml
encrypted_regex from `dex.github.client*` to `dex.<name>.client*` so any
future Dex static clients pick up encryption automatically.
@xnoto xnoto merged commit 5e6a89f into main Apr 30, 2026
2 checks passed
@xnoto xnoto deleted the feat/headlamp-dex-client branch April 30, 2026 03:21
@xnoto xnoto mentioned this pull request Apr 30, 2026
Merged
3 tasks
xnoto added a commit that referenced this pull request Apr 30, 2026
@xnoto
feat(headlamp): install dashboard with ArgoCD Dex OIDC (#13)
253743f 
## Summary

Install Headlamp as a Helm-based ArgoCD Application, fronted by the
cluster-apps Cloudflare Tunnel at \`https://headlamp.makeitwork.cloud\`,
with login flowing through ArgoCD's embedded Dex (which bridges to
GitHub OAuth — same path Grafana will move to next).

### \`operators/headlamp/\`

- **\`namespace.yaml\`** — headlamp ns.
- **\`oidc-secret.yaml\`** — Secret named \`oidc\` in headlamp ns,
sops-encrypted. Consumed by the upstream chart with
\`config.oidc.secret.create=false, name=oidc\`. \`clientSecret\` matches
the value in \`argocd-secret.dex.headlamp.clientSecret\` from the merged
Dex static-client PR.
- **\`ksops-headlamp-secrets.yaml\`** — pulls the secret in via KSOps.
- **\`application.yaml\`** — ArgoCD Helm Application installing chart
v0.41.0 from \`https://kubernetes-sigs.github.io/headlamp/\`.
Cluster-admin RBAC (single-user home cluster), modest resource limits.
- **\`kustomization.yaml\`** + add \`headlamp\` to
\`operators/kustomization.yaml\`.

### \`workloads/headlamp/\`

- **\`tunnel-binding.yaml\`** — TunnelBinding fronts headlamp Service on
\`headlamp.makeitwork.cloud\` via the existing cluster-apps tunnel.

### \`workloads/apps/\`

- **\`headlamp-app.yaml\`** + add to
\`workloads/apps/kustomization.yaml\` — ArgoCD Application that syncs
the workload manifests.

## Pairs with

- tfroot-cloudflare #6 (merged) — CNAME for headlamp.makeitwork.cloud.
- kustomize-cluster #12 (merged) — Headlamp registered as a Dex static
client.

## Test plan

- [x] After merge: \`kube-prometheus-stack\` operators app +
\`headlamp\` operators app reach Synced + Healthy
- [x] After merge: headlamp-app workloads app reaches Synced + Healthy
- [x] After merge: \`https://headlamp.makeitwork.cloud\` redirects to
ArgoCD's Dex GitHub login, then back to a working dashboard with
cluster-admin scope

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto