smatsiievskyi/kube
1
0
Fork 0
forked from k-space/kube
Code Issues Pull Requests Packages Projects Activity

grafana forbids having secrets in secrets

Browse Source 
3 layers of jumala eest sa secretit grafanale ei annaks
probably the key in secret reference is getting flagged
no error message, it is just dropped, but still
overrides env.. This seems to be a problem again
since Jan/Feb, with the accepted workaround being enving it.

Do as the docs don't say and agains, four times over?
This commit is contained in:
rasmus
2025-07-24 10:30:58 +03:00
parent ca4de329f7
commit 67c97adc96
1 changed files with 13 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
grafana/kustomization.yaml
View File

@@ -24,8 +24,6 @@ helmCharts:
log: {level: warn} log: {level: warn}
server: server:
root_url: https://grafana.k-space.ee/ root_url: https://grafana.k-space.ee/
security:
disable_initial_admin_creation: true
auth: auth:
oauth_allow_insecure_email_lookup: true oauth_allow_insecure_email_lookup: true
auth.basic: auth.basic:
@@ -35,23 +33,22 @@ helmCharts:
auto_login: true auto_login: true
name: auth.k-space.ee name: auth.k-space.ee
role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
allow_sign_up: true
allow_assign_grafana_admin: true allow_assign_grafana_admin: true
client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID}
client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET}
scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES}
auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI}
token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI}
api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI}
signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI}
use_pkce: true use_pkce: true
extraSecretMounts: use_refresh_token: true
- name: oidc-client-grafana-owner-secrets env:
secretName: oidc-client-grafana-owner-secrets GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true # not supported by helm chart through grafana.ini, only env
mountPath: /etc/secrets/oidc-client-grafana-owner-secrets # helm chart says to use file ref in grafana.ini, but it doesn't work since the secrets are fitlered out there
defaultMode: 0440 GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "$(OIDC_CLIENT_ID)"
subPath: . GF_AUTH_GENERIC_OAUTH_SECRET: "$(OIDC_CLIENT_SECRET)"
readOnly: true GF_AUTH_GENERIC_OAUTH_SCOPES: "$(OIDC_AVAILABLE_SCOPES)"
GF_AUTH_GENERIC_OAUTH_AUTH_URL: "$(OIDC_IDP_AUTH_URI)"
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "$(OIDC_IDP_TOKEN_URI)"
GF_AUTH_GENERIC_OAUTH_API_URL: "$(OIDC_IDP_USERINFO_URI)"
GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL: "$(OIDC_IDP_URI)"
envFromSecrets: envFromSecrets:
- name: oidc-client-grafana-owner-secrets
- name: grafana-database - name: grafana-database
datasources: datasources:
prometheus.yaml: prometheus.yaml: