Datasources

Datasources is a basic part of grafana and of course you can manage your datasources through the grafana operator.

To view all configuration you can do within datasources look at our API documentation.

Secret management

In case a datasource requires authentication, it is advised not to include credentials directly in url. Instead, it’s better to rely on value substitution like in the example below.

kind: Secret
apiVersion: v1
metadata:
  name: credentials
  namespace: grafana
stringData:
  PROMETHEUS_USERNAME: root
  PROMETHEUS_PASSWORD: secret
type: Opaque
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: grafanadatasource-sample
spec:
  valuesFrom:
    - targetPath: "basicAuthUser"
      valueFrom:
        secretKeyRef:
          name: "credentials"
          key: "PROMETHEUS_USERNAME"
    - targetPath: "secureJsonData.basicAuthPassword"
      valueFrom:
        secretKeyRef:
          name: "credentials"
          key: "PROMETHEUS_PASSWORD"
  instanceSelector:
    matchLabels:
      dashboards: "grafana"
  datasource:
    name: prometheus
    type: prometheus
    access: proxy
    basicAuth: true
    url: http://prometheus-service:9090
    isDefault: true
    basicAuthUser: ${PROMETHEUS_USERNAME}
    jsonData:
      "tlsSkipVerify": true
      "timeInterval": "5s"
    secureJsonData:
      "basicAuthPassword": ${PROMETHEUS_PASSWORD} # Notice the braces around PROMETHEUS_PASSWORD

NOTE: The secret must exist in the same namespace as the datasource.

Here you can find a bigger example on how to use datasources with environment variables.

Plugins

Plugins is a way to extend the grafana functionality in dashboards and datasources.

Plugins can be installed to grafana instances managed by the operator and be defined in both datasources and dashboards.

apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: example-grafanadatasource
spec:
  datasource:
    access: proxy
    type: prometheus
    jsonData:
      timeInterval: 5s
      tlsSkipVerify: true
    name: Prometheus
    url: http://prometheus-service:9090
  instanceSelector:
    matchLabels:
      dashboards: grafana
  plugins:
    - name: grafana-clock-panel
      version: 1.3.0

NOTE: To make grafana install a plugin, the operator bootstraps a grafana instance with a custom value passed in GF_INSTALL_PLUGINS environment variable (Install plugins in the Docker container). Thus, there is no way for the operator to install a plugin in an external grafana instance.

Look here for more examples on how to install plugins

Private data source connect (PDC)

Private data source connect, or PDC, is a way for you to establish a private, secured connection between a Grafana Cloud instance, or stack, and data sources secured within a private network.

To enable PDC on data sources configured through the Grafana operator, set the enableSecureSocksProxy and secureSocksProxyUsername fields in the jsonData field of the resource like this:

apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: grafanadatasource-sample
spec:
  instanceSelector:
    matchLabels:
      instance: grafanacloud-instance
  datasource:
    name: prometheus-pdc-operator
    type: prometheus
    access: proxy
    url: http://localhost:9090
    jsonData:
      "enableSecureSocksProxy": true
      "secureSocksProxyUsername": "<your-pdc-network-id>"

To find the PDC network ID, go to the Connections / Private data source connect page in your Grafana Cloud instance and select the network you want to connect to.

Last modified May 26, 2025: chore: Use request object directly (#2025) (b853b96)