Service Accounts
GrafanaServiceAccounts(SA) are unique compared to other resources as the security implications are higher.
In order to avoid unintended accounts in Grafana instances, the creation and matching of SA is intentionally limited.
Any SA matches exactly one Grafana instance through the .spec.instanceName field.
The instanceName references the .metadata.name field of the Grafana resource.
Additionally, service accounts are only supported in the same namespace as shown below.
---
apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
name: my-grafana
spec:
config:
security:
admin_user: root
admin_password: secret
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaServiceAccount
metadata:
name: my-service-account
spec:
name: "my-service-account"
instanceName: "my-grafana" # Matches the exact metadata.name of a Grafana instance in the same namespace
role: "Admin" # Admin, Editor, or Viewer
isDisabled: false
tokens:
- name: "my-token-a"
secretName: thatsfine # If secretName is omitted, a name is generated prefixed with the serviceaccount and token names
expires: 2029-12-31T14:00:00+02:00
- name: "my-token-b"
The operator will then create a Secret for each token in .spec.tokens.
apiVersion: v1
kind: Secret
metadata:
# labels/annotations/... Omitted for brevity
name: thatsfine
namespace: default
data:
token: Z2xzYV9GdXllSHk3V2Y0MjExbFNIRkpReTRPczljMnFtaUZZVl9iZDliYzk5YQ==
---
apiVersion: v1
kind: Secret
metadata:
# labels/annotations/... Omitted for brevity
generateName: grafana-my-service-account-my-token-b-
name: grafana-my-service-account-my-token-b-4v9mh
namespace: default
data:
token: Z2xzYV9sMXlwaFI3NkdXcWVzV3R5QWEzR1NQTGpjNXhoZGJSUl82NjM5NzQxMQ==
For all possible configuration options, take a look at the GrafanaAPI reference.