From 94d566dc1c0cf28b7a6e5ec7f7c3f41b2de71232 Mon Sep 17 00:00:00 2001
From: auricom <27022259+auricom@users.noreply.github.com>
Date: Sun, 4 Feb 2024 15:46:03 +0100
Subject: [PATCH] =?UTF-8?q?fixup!=20=E2=99=BB=EF=B8=8F=20remove=20hardcode?=
 =?UTF-8?q?d=20authelia=20secrets?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../grafana/app/externalsecret.yaml           | 22 +++++++++++++++++++
 .../monitoring/grafana/app/helmrelease.yaml   |  4 ++++
 .../monitoring/grafana/app/kustomization.yaml |  1 +
 3 files changed, 27 insertions(+)
 create mode 100644 kubernetes/apps/monitoring/grafana/app/externalsecret.yaml

diff --git a/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml b/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml
new file mode 100644
index 000000000..e3d7ca01f
--- /dev/null
+++ b/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml
@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-secrets
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: grafana-secret
+    creationPolicy: Owner
+    deletionPolicy: "Delete"
+    template:
+      engineVersion: v2
+      data:
+        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
+  dataFrom:
+    - extract:
+        key: authelia
diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
index 9a9164c38..61c8ac975 100644
--- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
+++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
@@ -27,6 +27,8 @@ spec:
   uninstall:
     keepHistory: false
   values:
+    annotations:
+      reloader.stakater.com/auto: "true"
     rbac:
       pspEnabled: false
     env:
@@ -40,6 +42,8 @@ spec:
       GF_DATE_FORMATS_FULL_DATE: "DD.MM.YYYY hh:mm:ss"
       GF_SECURITY_ALLOW_EMBEDDING: true
       GF_SECURITY_COOKIE_SAMESITE: grafana
+    envFromSecrets:
+      - name: grafana-secret
     grafana.ini:
       analytics:
         check_for_updates: false
diff --git a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml
index 72c948232..5358f1cd5 100644
--- a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml
+++ b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml
@@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources:
+  - ./externalsecret.yaml
   - ./helmrelease.yaml