Skip to content

feat(Grafana): K8s serviceaccount token as authorization .spec.client.useKubeAuth #2137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

feat(Grafana): K8s serviceaccount token as authorization .spec.client.useKubeAuth #2137

wants to merge 7 commits into from

Conversation

Baarsgaard
Copy link
Collaborator

@Baarsgaard Baarsgaard commented Aug 10, 2025
edited
Loading

Use the k8s ServiceAccount token projected in at /var/run/secrets/kubernetes.io/serviceaccount/token as authentication to Grafana instances.

Users can configure [auth.jwt] to accept K8s ServiceAccounts and assign them roles depending on the name, namespace, etc in the JWT token and entirely disable the default Grafana admin account.

TODO

Questions:

  • Should the operator support a default config for JWT auth which is used? The variance in what people want might be a bit high and instead just document the options.
  • Name of the client option? useKubeAuth and useJWTAuth are both a bit vague
  • Should this be merged after Grafana v12.2.0 is released and configured as the new default version?
    Would help a lot for usability as the the full setup can be handled in the Grafana CR

@github-actions github-actions bot added documentation Issues relating to documentation, missing, non-clear etc. feature this PR introduces a new feature labels Aug 10, 2025
@Baarsgaard Baarsgaard force-pushed the feat_k8s_serviceaccont_auth branch from c62ac14 to 6f7a946 Compare August 10, 2025 18:26
@Baarsgaard Baarsgaard force-pushed the feat_k8s_serviceaccont_auth branch 2 times, most recently from b3fd0ff to 9f29f8f Compare August 31, 2025 12:01
@Baarsgaard Baarsgaard marked this pull request as ready for review August 31, 2025 15:10
weisdd
weisdd requested changes Sep 1, 2025
View reviewed changes
@Baarsgaard Baarsgaard force-pushed the feat_k8s_serviceaccont_auth branch from 9f29f8f to 39bb269 Compare September 5, 2025 21:05
@theSuess theSuess mentioned this pull request Sep 15, 2025
Closed
@Baarsgaard Baarsgaard force-pushed the feat_k8s_serviceaccont_auth branch from 39bb269 to 23fd780 Compare September 21, 2025 18:51
@Baarsgaard Baarsgaard force-pushed the feat_k8s_serviceaccont_auth branch from c6858be to 30c1a39 Compare September 22, 2025 17:22
@Baarsgaard Baarsgaard force-pushed the feat_k8s_serviceaccont_auth branch from d5b93f3 to 1907e5f Compare September 24, 2025 22:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weisdd weisdd weisdd requested changes

@nissessenap nissessenap Awaiting requested review from nissessenap nissessenap is a code owner

@ishanjainn ishanjainn Awaiting requested review from ishanjainn ishanjainn is a code owner

@theSuess theSuess Awaiting requested review from theSuess theSuess is a code owner

@hubeadmin hubeadmin Awaiting requested review from hubeadmin hubeadmin is a code owner

@pb82 pb82 Awaiting requested review from pb82 pb82 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
documentation Issues relating to documentation, missing, non-clear etc. feature this PR introduces a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Baarsgaard @weisdd