[bitnami/grafana-operator] admin password not in grafana.ini causes errors in operator

bitnami / charts

Bitnami Helm Charts

https://bitnami.com

Other

9.01k stars 9.22k forks source link

[bitnami/grafana-operator] admin password not in grafana.ini causes errors in operator #29203

Closed toporek3112 closed 1 month ago

toporek3112 commented 2 months ago

Name and Version

bitnami/grafana-operator 4.4.12

What architecture are you using?

amd64

What steps will reproduce the bug?

deployed secret with environment variable GF_SECURITY_ADMIN_PASSWORD

install the operator and set

grafana:
  enabled: true
  envFrom: 
    - secretRef:
         name: secret

look at the operator log or kubectl get grafana you'll see that the grafana does not have a version and the operator is throwing errors about the wrong username or password

What is the expected behavior?

The expected behavior is seeing version 11.1.0 when doing kubectl get grafana and no errors in the operator.

What do you see instead?

Errors in the operator because it can't fetch the version from the Grafana instance

Additional information

Maybe I'm doing something wrong. I know it works when I set the admin_password in the grafana config section but I don't want to deploy this with my plaintext password. Please help

carrodher commented 2 months ago

Can you share the logs about the specific error you're facing?

toporek3112 commented 1 month ago

Sorry for the late reply. The error is:

2024-09-09T21:48:15Z    ERROR   GrafanaReconciler       failed to get version from instance     {"controller": "grafana", "controllerGroup": "grafana.integreatly.org", "controllerKind": "Grafana", "Grafana": {"name":"grafana-operator-grafana","namespace":"monitoring"}, "namespace": "monitoring", "name": "grafana-operator-grafana", "reconcileID": "6321402f-6f7d-4f6f-9cd4-8068b8d011bf", "error": "empty version received from server"}

toporek3112 commented 1 month ago

Maybe for clarification. It works when i configure the admin password under: grafana.config.security.admin_password but then the password is plaintext in the yaml...

juan131 commented 1 month ago

Hi @toporek3112

The operator will generate a random password for you if you install the chart using the values.yaml below:

grafana:
  config:
    security:
      admin_user: admin
  enabled: true

See:

$ kubectl get secrets
NAME                                         TYPE                                  DATA   AGE
grafana-operator-grafana-admin-credentials   Opaque                                2      62s
$ kubectl get secret grafana-operator-grafana-admin-credentials -o json | jq -r .data.GF_SECURITY_ADMIN_PASSWORD | base64 --decode
elkfdhMuYvuV_Q==

toporek3112 commented 1 month ago

Hi @juan131, sorry for the late anwser. Yes I'm aware of that the operator will generate a random password. But I'm using the operator in addition with a postgres database where I already have an admin user with a password set by me. So If I don't pass this password int the values.yaml the operator won't be able to fetch infos from the grafana instance.

Furthermore even when the operator generates a random password it is still visible in plaintext when doing

kubectl get grafana my-grafana-instance -o yaml

This is kinda unconfortable since this is the admin password...

juan131 commented 1 month ago

Hi @toporek3112

I understand your concerns but I don't know if there's anything we (Bitnami) can do on our side given we just package the solution into a chart it looks to me like it's a design issue to report to Grafana Operator developers, see:

toporek3112 commented 1 month ago

You right, sorry for bothering. I will talk with Grafana devs. Thanks :)