From 67c97adc96567dda4d6072722f1fb65e1b9ead5d Mon Sep 17 00:00:00 2001
From: rasmus <rasmus@k-space.ee>
Date: Thu, 24 Jul 2025 10:30:58 +0300
Subject: [PATCH] grafana forbids having secrets in secrets

3 layers of jumala eest sa secretit grafanale ei annaks
probably the key in secret reference is getting flagged
no error message, it is just dropped, but still
overrides env.. This seems to be a problem again
since Jan/Feb, with the accepted workaround being enving it.

Do as the docs don't say and agains, four times over?
---
 grafana/kustomization.yaml | 29 +++++++++++++----------------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/grafana/kustomization.yaml b/grafana/kustomization.yaml
index 5aed120..dee8cb3 100644
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -24,8 +24,6 @@ helmCharts:
       log: {level: warn}
       server:
         root_url: https://grafana.k-space.ee/
-      security:
-        disable_initial_admin_creation: true
       auth:
         oauth_allow_insecure_email_lookup: true
       auth.basic:
@@ -35,23 +33,22 @@ helmCharts:
           auto_login: true
           name: auth.k-space.ee
           role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
+          allow_sign_up: true
           allow_assign_grafana_admin: true
-          client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID}
-          client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET}
-          scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES}
-          auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI}
-          token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI}
-          api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI}
-          signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI}
           use_pkce: true
-    extraSecretMounts:
-      - name: oidc-client-grafana-owner-secrets
-        secretName: oidc-client-grafana-owner-secrets
-        mountPath: /etc/secrets/oidc-client-grafana-owner-secrets
-        defaultMode: 0440
-        subPath: .
-        readOnly: true
+          use_refresh_token: true
+    env:
+      GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true # not supported by helm chart through grafana.ini, only env
+      # helm chart says to use file ref in grafana.ini, but it doesn't work since the secrets are fitlered out there
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "$(OIDC_CLIENT_ID)"
+      GF_AUTH_GENERIC_OAUTH_SECRET: "$(OIDC_CLIENT_SECRET)"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "$(OIDC_AVAILABLE_SCOPES)"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "$(OIDC_IDP_AUTH_URI)"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "$(OIDC_IDP_TOKEN_URI)"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "$(OIDC_IDP_USERINFO_URI)"
+      GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL: "$(OIDC_IDP_URI)"
     envFromSecrets:
+     - name: oidc-client-grafana-owner-secrets
      - name: grafana-database
     datasources:
       prometheus.yaml: