Search code examples
yamlgrafanamonitoringinfrastructure-as-code

Grafana permissions as IaC with Helm

I'm posting this question because I haven't been able to find any documentation on this. Altough looks like it's possible to set up, I could use some help from you guys.

We have Grafana set up with Helm in our Kubernetes cluster. All new dashboards are added also with Helm via ConfigMap with the JSON in it and applied via Gitlab CI/CD. Until now all the team accessed with the admin user, but now we want to create specific users with the viewer role and we want them to be able to see just some of the dashboards. We can achieve this by editing each dashboard's permissions via UI. The problem comes in that by some reason the permissions for the dashboards are not persistent, and so every time the pod is recreated I have to manually reset the permissions for our 20+ dashboards. I am looking for a way to set these permissions via Helm.

I know these permissions can't be set up directly on the ConfigMap's JSON, but can't see where to set them. From this question I can see that there is a way to set them if all the dashboards are defined in values.yaml but this is not our case, since we are using a dashboard provider to create the dashboard.

I know there's an API for Grafana but we can't use this because we need eveything to be set up via Helm.

Any help will be very welcome!!

Our existing dashboard provider has this configuration:

apiVersion: 1
providers:
  - name: 'sidecarProvider'
    orgId: 1
    folder: ''
    type: file
    disableDeletion: false
    allowUiUpdates: false
    updateIntervalSeconds: 30
    options:
      foldersFromFilesStructure: false
      path: /tmp/dashboards
Solution

  • If you are looking for IaC with Terraform: I've been looking for something similar, and I've found a Grafana Terraform provider that can be useful for this, particularly the user resource

    If you are looking to only use Helm, you could take advantage of the extraInitContainers field and do something like

    grafana:
  extraInitContainers:
    - name: init-create-user
      image: your-custom-image-with-curl-and-jq
      command:
        - /bin/sh
        - -c
        - |
          #!/bin/sh

          GRAFANA_URL="http://grafana:3000"  # Replace with your Grafana URL
          API_KEY="your-api-key"

          USERNAME="new_viewer_user"
          PASSWORD="password123"
          ORG_ID=1  # The organization ID where you want to create the user
          VIEWER_ROLE_ID=Viewer  # The role ID for the "Viewer" role

          # Create the user
          USER_ID=$(curl -s -X POST \
              -H "Authorization: Bearer $API_KEY" \
              -H "Content-Type: application/json" \
              -d "{\"name\":\"$USERNAME\",\"email\":\"[email protected]\",\"login\":\"$USERNAME\",\"password\":\"$PASSWORD\"}" \
              "$GRAFANA_URL/api/admin/users" | jq -r '.id')

          # Assign the "Viewer" role to the user in the specified organization
          curl -X POST \
              -H "Authorization: Bearer $API_KEY" \
              -H "Content-Type: application/json" \
              -d "{\"role\":\"$VIEWER_ROLE_ID\",\"orgId\":$ORG_ID}" \
              "$GRAFANA_URL/api/org/users/$USER_ID/roles"