From ec31f988896a20f53e6d4d965ab70201e2f12658 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 15:28:48 +0100
Subject: [PATCH] Added external secret for grafana keycloak client secret

---
 .../monitoring/kube-prometheus/values.yaml    |  2 +-
 .../keycloak/manifests/keycloak-config.yaml   |  6 ------
 .../keycloak/manifests/secret-grafana.yaml    | 21 +++++++++++++++++++
 3 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 1e42733..901345f 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -41,7 +41,7 @@ grafana:
       name: Keycloak-OAuth
       allow_sign_up: true
       use_refresh_token: true
-      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      client_id: grafana
       client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
       email_attribute_path: email
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 1b5681f..c271336 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -369,9 +369,6 @@ spec:
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 
-
-
-
               echo "creating Grafana client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -388,9 +385,6 @@ spec:
               GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-
-
 
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
new file mode 100644
index 0000000..896ec1b
--- /dev/null
+++ b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
+  data:
+    - secretKey: GRAFANA_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: GRAFANA_CLIENT_SECRET