ingress for monitoring

.github/workflows/deploy.yml

@@ -79,10 +79,18 @@ jobs:
         if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
         run: |
           kubectl create namespace monitoring --dry-run=client -o yaml | kubectl apply -f -
+      
+      - name: Create Grafana OAuth secret
+        if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
+        run: |
+          kubectl create secret generic grafana-oauth-secret \
+            -n monitoring \
+            --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${{ secrets.GRAFANA_CLIENT_SECRET }}" \
+            --dry-run=client -o yaml | kubectl apply -f -
+      
       - name: Create oauth2-proxy secrets
         if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
         run: |
-
           kubectl create secret generic oauth2-proxy-prometheus \
             -n monitoring \
             --from-literal=client-id=prometheus \

helm/monitoring/values.yaml

@@ -1,6 +1,8 @@
 grafana:
   enabled: true
 
+  envFromSecret: grafana-oauth-secret
+
   grafana.ini:
     server:
       root_url: http://grafana.13.140.150.2.nip.io
@@ -14,7 +16,7 @@ grafana:
       name: Keycloak
       allow_sign_up: true
       client_id: grafana
-      client_secret: kvULFcvaeWLYzivg1eJFYT9s0Nj674Qr
+      client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
       scopes: openid email profile
       auth_url: http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm/protocol/openid-connect/auth
       token_url: http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm/protocol/openid-connect/token