fix(Grafana): CreateContainerConfigError with disableDefaultAdminSecret and admin secret missing (#2356)

Baarsgaard · web-flow · commit d514007dc668 · 2025-12-08T08:19:31.000Z
* fix: `CreateContainerConfigError` when `disableDefaultAdminSecret=true` and admin secret is missing

* test(E2E/Grafana): Move JWT config, disable admin secret for JWT instance
diff --git a/controllers/reconcilers/grafana/deployment_reconciler.go b/controllers/reconcilers/grafana/deployment_reconciler.go
@@ -226,6 +226,10 @@ func getContainers(cr *v1beta1.Grafana, scheme *runtime.Scheme, vars *v1beta1.Op
 		ReadinessProbe:           getReadinessProbe(cr),
 	})
 
+	if cr.Spec.DisableDefaultAdminSecret {
+		return containers
+	}
+
 	// Use auto generated admin account?
 	secret := resources.GetGrafanaAdminSecret(cr, scheme)
 
diff --git a/tests/e2e/example-test/00-create-grafana-external.yaml b/tests/e2e/example-test/00-create-grafana-external.yaml
@@ -7,23 +7,11 @@ metadata:
 spec:
   client:
     preferIngress: false
-    useKubeAuth: true
   config:
     log:
       mode: "console"
     auth:
       disable_login_form: "false"
-    auth.jwt:
-      enabled: "true"
-      header_name: Authorization
-      username_claim: sub
-      email_claim: sub
-      auto_sign_up: "true"
-      role_attribute_path: "contains(\"kubernetes.io\".namespace, 'grafana') && 'GrafanaAdmin' || 'None'" # Assigns normal Admin unless allow_assign_grafana_admin is enabled
-      role_attribute_strict: "true" # Disables auto_assign_org_role
-      jwk_set_url: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/openid/v1/jwks
-      jwk_set_bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tls_client_ca: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
   deployment:
     spec:
       template:
diff --git a/tests/e2e/example-test/00-create-grafana.yaml b/tests/e2e/example-test/00-create-grafana.yaml
@@ -5,7 +5,9 @@ metadata:
   labels:
     dashboards: "grafana"
 spec:
+  disableDefaultAdminSecret: true # Ensure config is valid without admin secret
   client:
+    useKubeAuth: true
     preferIngress: false
   config:
     log:
@@ -21,6 +23,17 @@ spec:
     recording_rules:
       enabled: "true"
       url: http://prometheus:9090/api/prom/push
+    auth.jwt:
+      enabled: "true"
+      header_name: Authorization
+      username_claim: sub
+      email_claim: sub
+      auto_sign_up: "true"
+      role_attribute_path: "contains(sub, 'system:serviceaccount:default:grafana-operator-controller-manager') && 'GrafanaAdmin' || 'None'" # Assigns normal Admin unless allow_assign_grafana_admin is enabled
+      role_attribute_strict: "true" # Disables auto_assign_org_role
+      jwk_set_url: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/openid/v1/jwks
+      jwk_set_bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      tls_client_ca: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
   deployment:
     spec:
       template:
