feat(Grafana): useKubeAuth enables using k8s serviceacccount

Baarsgaard · Baarsgaard · commit d5ef3a1652e5 · 2025-08-09T10:24:24.000+02:00
diff --git a/api/v1beta1/grafana_types.go b/api/v1beta1/grafana_types.go
@@ -125,6 +125,10 @@ type JsonnetConfig struct {
 
 // GrafanaClient contains the Grafana API client settings
 type GrafanaClient struct {
+	// Use Kubernetes Serviceaccount as authentication
+	// Requires configuring [auth.jwt] in the instance
+	// +optional
+	UseKubeAuth bool `json:"useKubeAuth,omitempty"`
 	// +nullable
 	TimeoutSeconds *int `json:"timeout,omitempty"`
 	// +nullable
diff --git a/config/crd/bases/grafana.integreatly.org_grafanas.yaml b/config/crd/bases/grafana.integreatly.org_grafanas.yaml
@@ -90,6 +90,11 @@ spec:
                       x-kubernetes-validations:
                         - message: insecureSkipVerify and certSecretRef cannot be set at the same time
                           rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
+                    useKubeAuth:
+                      description: |-
+                        Use Kubernetes Serviceaccount as authentication
+                        Requires configuring [auth.jwt] in the instance
+                      type: boolean
                   type: object
                 config:
                   additionalProperties:
diff --git a/controllers/client/grafana_client.go b/controllers/client/grafana_client.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"time"
 
 	genapi "github.com/grafana/grafana-openapi-client-go/client"
@@ -62,6 +63,17 @@ func getExternalAdminPassword(ctx context.Context, c client.Client, cr *v1beta1.
 func getAdminCredentials(ctx context.Context, c client.Client, grafana *v1beta1.Grafana) (*grafanaAdminCredentials, error) {
 	credentials := &grafanaAdminCredentials{}
 
+	if grafana.Spec.Client != nil && grafana.Spec.Client.UseKubeAuth {
+		b, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+		if err != nil {
+			return nil, err
+		}
+
+		credentials.apikey = string(b)
+
+		return credentials, nil
+	}
+
 	if grafana.IsExternal() {
 		// prefer api key if present
 		if grafana.Spec.External.APIKey != nil {
@@ -151,7 +163,7 @@ func InjectAuthHeaders(ctx context.Context, c client.Client, grafana *v1beta1.Gr
 	}
 
 	if creds.apikey != "" {
-		req.Header.Add("Authorization", "Bearer "+creds.apikey)
+		req.Header.Set("Authorization", "Bearer "+creds.apikey)
 	} else {
 		req.SetBasicAuth(creds.adminUser, creds.adminPassword)
 	}
diff --git a/deploy/helm/grafana-operator/crds/grafana.integreatly.org_grafanas.yaml b/deploy/helm/grafana-operator/crds/grafana.integreatly.org_grafanas.yaml
@@ -90,6 +90,11 @@ spec:
                       x-kubernetes-validations:
                         - message: insecureSkipVerify and certSecretRef cannot be set at the same time
                           rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
+                    useKubeAuth:
+                      description: |-
+                        Use Kubernetes Serviceaccount as authentication
+                        Requires configuring [auth.jwt] in the instance
+                      type: boolean
                   type: object
                 config:
                   additionalProperties:
diff --git a/deploy/kustomize/base/crds.yaml b/deploy/kustomize/base/crds.yaml
@@ -3407,6 +3407,11 @@ spec:
                         at the same time
                       rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
                         || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
+                  useKubeAuth:
+                    description: |-
+                      Use Kubernetes Serviceaccount as authentication
+                      Requires configuring [auth.jwt] in the instance
+                    type: boolean
                 type: object
               config:
                 additionalProperties:
diff --git a/docs/docs/api.md b/docs/docs/api.md
@@ -6444,6 +6444,14 @@ Client defines how the grafana-operator talks to the grafana instance.
             <i>Validations</i>:<li>(has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify))): insecureSkipVerify and certSecretRef cannot be set at the same time</li>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>useKubeAuth</b></td>
+        <td>boolean</td>
+        <td>
+          Use Kubernetes Serviceaccount as authentication
+Requires configuring [auth.jwt] in the instance<br/>
+        </td>
+        <td>false</td>
       </tr></tbody>
 </table>
 
