template/stacks/monitoring/kube-prometheus/values.yaml

@@ -41,7 +41,7 @@ grafana:
       name: Keycloak-OAuth
       allow_sign_up: true
       use_refresh_token: true
-      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      client_id: grafana
       client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
       email_attribute_path: email

template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml

@@ -369,9 +369,6 @@ spec:
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 
-
-
-
               echo "creating Grafana client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -388,9 +385,6 @@ spec:
               GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-
-
 
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \

template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
+  data:
+    - secretKey: GRAFANA_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: GRAFANA_CLIENT_SECRET