From bbea21c468af28def06be7128163709827a56ad5 Mon Sep 17 00:00:00 2001
From: WrenIX <dev@wrenix.eu>
Date: Sat, 27 Jan 2024 13:00:50 +0100
Subject: [PATCH] fix(infra-monitoring): Improve secret handling for grafana

---
 .../templates/kube-prometheus-stack/release.yaml      | 11 ++++++++---
 .../secret-grafana_auth_generic_oauth.yaml            | 10 ++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 infra-monitoring/templates/kube-prometheus-stack/secret-grafana_auth_generic_oauth.yaml

diff --git a/infra-monitoring/templates/kube-prometheus-stack/release.yaml b/infra-monitoring/templates/kube-prometheus-stack/release.yaml
index ccd520d..0d9be1b 100644
--- a/infra-monitoring/templates/kube-prometheus-stack/release.yaml
+++ b/infra-monitoring/templates/kube-prometheus-stack/release.yaml
@@ -173,15 +173,20 @@ spec:
         auth.generic_oauth:
           name: authentik
           enabled: true
-          client_id: {{ .Values.grafana.auth.authentik.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientID") | quote }}
-          client_secret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | quote }}
+          client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+          client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
           scopes: openid email profile
           auth_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/authorize/
           token_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/token/
           api_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/userinfo/
           role_attribute_path: "contains(groups[*], 'app: grafana - admin') && 'Admin' || contains(groups[*], 'app: grafana - editor') && 'Editor' || 'Viewer'"
         {{- end }}
-
+      extraSecretMounts:
+        - name: auth-generic-oauth-secret-mount
+          secretName: monitoring-grafana-auth-generic-oauth
+          defaultMode: 0440
+          mountPath: /etc/secrets/auth_generic_oauth
+          readOnly: true
       testFramework:
         enabled: false
       sidecar:
diff --git a/infra-monitoring/templates/kube-prometheus-stack/secret-grafana_auth_generic_oauth.yaml b/infra-monitoring/templates/kube-prometheus-stack/secret-grafana_auth_generic_oauth.yaml
new file mode 100644
index 0000000..6cd9c3c
--- /dev/null
+++ b/infra-monitoring/templates/kube-prometheus-stack/secret-grafana_auth_generic_oauth.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.commons.auth.enabled (eq .Values.commons.auth.type "authentik") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: monitoring-grafana-auth-generic-oauth
+data:
+  client_id: {{ .Values.grafana.auth.authentik.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientID") | b64enc }}
+  client_secret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | b64enc }}
+{{- end }}