[Proposal] Grafana Helm Chart: Ability to disable internal admin account without breaking sidecar functionality. #3295
Comments
|
" requires at least one admin credential" big fat security red flag |
Thats the reason why, I create this proposal. |
|
I was just actually looking for a way to do exactly this - I have OIDC set up for my Grafana instance, and so thought I could disable the admin account. Turns out I can't, as you mention, because of the reloading support. I'm a big fan of this change, and would love to see it implemented! Let me know if I can do any testing. |
|
Big proponent for this proposal! |
|
Please forgive my ignorance if I'm missing something, but would it not make more sense if there would be native functionality for this in Grafana instead of a separate app? Or are we doing this pending such an implementation? |
Of course. I also open an issue, half-year ago (#2948) to cover that topic, but I don't feel confident enough to create a PR to integrate this into core. However I would like to resolve that issue in a way that I can offer it. At least the proposal here would resolve the issue until it's integrated into core. |
|
And I appreciate that :) |
|
I agreed. |
|
so can one interact with api with tokens? the admin approach scares me |
That the current approach for years. Does no one every looked into the charts, how it works? However, by using an Grafana App, the App can request an Grafana Service Account with fine-granted permissions. For example, the POC defined that an API Token with reload provisioning permissions the required. |
Hi everyone,
As the maintainer of the Grafana Helm Charts, I would like to propose an idea and gather your feedback.
Many Kubernetes users deploy the Grafana Helm chart alongside the sidecar reloader to hot-reload dashboards and datasources. However, the sidecar requires at least one admin credential to interact with the Grafana API. As a result, disabling the built-in admin account and basic authentication effectively is not feasible. This creates a trade-off between security and automation.
To address this, I’ve developed a prototype of a Grafana app that can trigger the provisioning API when files change on the filesystem. This would eliminate the need for sidecars to have admin credentials to trigger the provisioning API, as Grafana itself would handle it.
You can find the proof-of-concept code here: https://github.com/jkroepke/grafana-provisioner-reloader/tree/init
If this proposal makes sense, I would proceed with the necessary steps to publish the app on the Grafana App Catalog with official signing, and then implement it in the Helm chart.
In theory, the app could be responsible to talk with the kubernetes API directly, however I feel that such functionally will be not accepted for the App Store.
Thoughts? @zalegrala? @zanhsieh
The text was updated successfully, but these errors were encountered: