Skip to content

Add infra-* teams for Dex SSO group mapping#49

Merged
BigLep merged 2 commits into
FilOzone:masterfrom
SgtPooki:sgtpooki/add-infra-sso-teams
Jun 22, 2026
Merged

Add infra-* teams for Dex SSO group mapping#49
BigLep merged 2 commits into
FilOzone:masterfrom
SgtPooki:sgtpooki/add-infra-sso-teams

Conversation

@SgtPooki

@SgtPooki SgtPooki commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

What changed

Adds the infra-* GitHub teams that FilOzone/infra's Dex SSO maps into OIDC groups for Argo CD, Grafana, and k8s RBAC. github-mgmt stays the source of truth for who's in each group; infra just consumes the team membership. Background: docs/SSO_ACCESS.md.

team OIDC group
infra-admin infra:admin
infra-viewer infra:viewer
infra-argocd-admin / infra-argocd-viewer argocd:admin / argocd:viewer
infra-grafana-admin / infra-grafana-viewer grafana:admin / grafana:viewer
infra-dealbot-admin / infra-dealbot-viewer k8s:dealbot:admin / k8s:dealbot:viewer

Membership: infra-admin gets the initial operator set (BigLep, jennijuju, Kubuxu, momack2, rjan90, rvagg, SgtPooki). Every other team is seeded with Kubuxu + SgtPooki and grows as access requests come in.

Notes

These are membership-only teams — no repo access, they exist to drive OIDC group emission. This is phase 1; the Dex deploy and downstream RBAC wiring live in infra PRs #112 (prep) and #113 (rollout). infra-viewer exists, but its cluster-wide k8s read binding is still deferred in infra, so broad "view everything" isn't functional yet — only app-scoped viewers like infra-dealbot-viewer are wired today.

@github-actions

Copy link
Copy Markdown
Contributor

The following access changes will be introduced as a result of applying the plan:

Access Changes
There will be no access changes

@github-actions

Copy link
Copy Markdown
Contributor

Before merge, verify that all the following plans are correct. After merge, Apply will regenerate the plans from the merged commit and continue only if they match.

Terraform plans

FilOzone
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # github_team.this["infra-admin"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-admin"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-argocd-admin"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-argocd-admin"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-argocd-viewer"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-argocd-viewer"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-dealbot-admin"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-dealbot-admin"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-dealbot-viewer"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-dealbot-viewer"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-grafana-admin"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-grafana-admin"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-grafana-viewer"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-grafana-viewer"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team.this["infra-viewer"] will be created
  + resource "github_team" "this" {
      + create_default_maintainer = false
      + etag                      = (known after apply)
      + id                        = (known after apply)
      + members_count             = (known after apply)
      + name                      = "infra-viewer"
      + node_id                   = (known after apply)
      + parent_team_read_id       = (known after apply)
      + parent_team_read_slug     = (known after apply)
      + privacy                   = "secret"
      + slug                      = (known after apply)
    }

  # github_team_membership.this["infra-admin:biglep"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "BigLep"
    }

  # github_team_membership.this["infra-admin:jennijuju"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "jennijuju"
    }

  # github_team_membership.this["infra-admin:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-admin:momack2"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "momack2"
    }

  # github_team_membership.this["infra-admin:rjan90"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "rjan90"
    }

  # github_team_membership.this["infra-admin:rvagg"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "rvagg"
    }

  # github_team_membership.this["infra-admin:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-argocd-admin:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-argocd-admin:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-argocd-viewer:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-argocd-viewer:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-dealbot-admin:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-dealbot-admin:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-dealbot-viewer:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-dealbot-viewer:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-grafana-admin:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-grafana-admin:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-grafana-viewer:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-grafana-viewer:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

  # github_team_membership.this["infra-viewer:kubuxu"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "Kubuxu"
    }

  # github_team_membership.this["infra-viewer:sgtpooki"] will be created
  + resource "github_team_membership" "this" {
      + etag     = (known after apply)
      + id       = (known after apply)
      + role     = "member"
      + team_id  = (known after apply)
      + username = "SgtPooki"
    }

Plan: 29 to add, 0 to change, 0 to destroy.

@SgtPooki SgtPooki moved this from 📌 Triage to 🔎 Awaiting review in FOC Jun 19, 2026
@SgtPooki

Copy link
Copy Markdown
Contributor Author

cc @Kubuxu @BigLep

Adds the GitHub teams that FilOzone/infra's Dex SSO maps into OIDC groups
for Argo CD, Grafana, and Kubernetes RBAC. github-mgmt is the source of
truth for membership; FilOzone/infra consumes these teams as groups.

Teams:
- infra-admin            -> infra:admin (platform operators)
- infra-viewer           -> infra:viewer (broad read-only; cluster-wide binding deferred)
- infra-argocd-admin     -> argocd:admin
- infra-argocd-viewer    -> argocd:viewer
- infra-grafana-admin    -> grafana:admin
- infra-grafana-viewer   -> grafana:viewer
- infra-dealbot-admin    -> k8s:dealbot:admin
- infra-dealbot-viewer   -> k8s:dealbot:viewer

See FilOzone/infra docs/SSO_ACCESS.md.
@github-project-automation github-project-automation Bot moved this from 🔎 Awaiting review to ✔️ Approved by reviewer in FOC Jun 22, 2026
@BigLep BigLep merged commit d51b678 into FilOzone:master Jun 22, 2026
6 checks passed
@github-project-automation github-project-automation Bot moved this from ✔️ Approved by reviewer to 🎉 Done in FOC Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🎉 Done

Development

Successfully merging this pull request may close these issues.

4 participants