Dashboard from OCI artifact

Shows how to load a dashboard JSON file stored inside an OCI artifact in a container registry (e.g. GHCR, ECR, GAR). Bytes are fetched at reconcile time and never stored in etcd, making this the recommended source for dashboards larger than ~1 MiB.

The reference field must include either a tag (:v1.4.7) or a digest (@sha256:...):

  • tag - mutable pointer; operator re-fetches on each reconcile interval and caches via contentCacheDuration.
  • digest - immutable; guarantees bit-for-bit reproducibility across clusters.

For public registries, omit pullSecretRef. For private registries, create a kubernetes.io/dockerconfigjson Secret in the same namespace and reference it via pullSecretRef.

Push a dashboard artifact with oras :

echo '{"title":"My Dashboard","panels":[]}' > board.json
oras push ghcr.io/team-a/dashboards:v1.4.7 \
  --artifact-type application/vnd.grafana.dashboard+json \
  board.json:application/json

Alternatively, build a regular container image with the dashboard baked in:

FROM scratch
ADD board.json /board.json

---
# For private registries, create a pull secret in the same namespace:
#   kubectl create secret docker-registry ghcr-pull \
#     --docker-server=ghcr.io \
#     --docker-username=<user> \
#     --docker-password=<token>
# Then reference it via pullSecretRef below. Skip this for public artifacts.
---
apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
  name: grafana
  labels:
    dashboards: "grafana"
spec:
  config:
    log:
      mode: "console"
    auth:
      disable_login_form: "false"
    security:
      admin_user: root
      admin_password: secret
---
# Tag-pinned variant (mutable release channel).
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
  name: grafanadashboard-from-oci-tag
spec:
  instanceSelector:
    matchLabels:
      dashboards: "grafana"
  oci:
    reference: ghcr.io/team-a/dashboards:v1.4.7
    path: board.json
    pullSecretRef:
      name: ghcr-pull
---
# Digest-pinned variant (immutable, reproducible deployments).
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
  name: grafanadashboard-from-oci-digest
spec:
  instanceSelector:
    matchLabels:
      dashboards: "grafana"
  oci:
    reference: ghcr.io/team-a/dashboards@sha256:0000000000000000000000000000000000000000000000000000000000000000
    path: board.json
    pullSecretRef:
      name: ghcr-pull
Last modified June 14, 2026: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.30.0 (#2753) (d3f62f6)