grafana forbids having secrets in secrets

3 layers of jumala eest sa secretit grafanale ei annaks probably the key in secret reference is getting flagged no error message, it is just dropped, but still overrides env.. This seems to be a problem again since Jan/Feb, with the accepted workaround being enving it. Do as the docs don't say and agains, four times over?
2025-07-24 10:30:58 +03:00
parent ca4de329f7
commit 67c97adc96
1 changed files with 13 additions and 16 deletions
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -24,8 +24,6 @@ helmCharts:
      log: {level: warn}
      server:
        root_url: https://grafana.k-space.ee/
-      security:
-        disable_initial_admin_creation: true
      auth:
        oauth_allow_insecure_email_lookup: true
      auth.basic:
@@ -35,23 +33,22 @@ helmCharts:
          auto_login: true
          name: auth.k-space.ee
          role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
+          allow_sign_up: true
          allow_assign_grafana_admin: true
-          client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID}
-          client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET}
-          scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES}
-          auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI}
-          token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI}
-          api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI}
-          signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI}
          use_pkce: true
-    extraSecretMounts:
-      - name: oidc-client-grafana-owner-secrets
-        secretName: oidc-client-grafana-owner-secrets
-        mountPath: /etc/secrets/oidc-client-grafana-owner-secrets
-        defaultMode: 0440
-        subPath: .
-        readOnly: true
+          use_refresh_token: true
+    env:
+      GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true # not supported by helm chart through grafana.ini, only env
+      # helm chart says to use file ref in grafana.ini, but it doesn't work since the secrets are fitlered out there
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "$(OIDC_CLIENT_ID)"
+      GF_AUTH_GENERIC_OAUTH_SECRET: "$(OIDC_CLIENT_SECRET)"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "$(OIDC_AVAILABLE_SCOPES)"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "$(OIDC_IDP_AUTH_URI)"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "$(OIDC_IDP_TOKEN_URI)"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "$(OIDC_IDP_USERINFO_URI)"
+      GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL: "$(OIDC_IDP_URI)"
    envFromSecrets:
+     - name: oidc-client-grafana-owner-secrets
     - name: grafana-database
    datasources:
      prometheus.yaml: