feat(helm): add secretRef support for grafana-mcp

TOMOFUMI-KONDO · TOMOFUMI-KONDO · commit 980b03ce2ec2 · 2026-01-15T21:29:10.000+09:00
Add the ability to reference an existing Secret for grafana-mcp authentication instead of having the chart create new one.

This update improves security because it enables not to expose sensitive credentials in values file or `--set` option of helm cli or argocd application.

Added `secretRef` field to both `helm/kagent/values.yaml` and `helm/tools/grafana-mcp/values.yaml` to allow users to specify an existing Secret name containing `GRAFANA_SERVICE_ACCOUNT_TOKEN` or `GRAFANA_API_KEY`.

Modified `helm/tools/grafana-mcp/templates/secret.yaml` to create a Secret only when `serviceAccountToken` or `apiKey` is provided. This prevents creating an empty Secret when using `secretRef`.

And also updated `helm/tools/grafana-mcp/templates/deployment.yaml` to reference the Secret specified by `secretRef` if provided, otherwise fall back to the chart-generated Secret name.

If no `apiKey` and `serviceAccountToken` are passed, and no `secretRef` is specified, Secret for grafana-mcp-server is not created and reference with it in deployment disappers to prevent deployment creation failure.

Signed-off-by: TOMOFUMI-KONDO &lt;ugax2kontomo0314@gmail.com&gt;
diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml
@@ -349,7 +349,9 @@ tools:
 grafana-mcp:
   grafana:
     url: "grafana.kagent:3000/api"
-    apiKey: "-"
+    serviceAccountToken: ""
+    # apiKey: "" # Deprecated - use serviceAccountToken instead.
+    # secretRef: ""  # Name of Secret to reference (contains GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY)
   resources:
     requests:
       cpu: 100m
diff --git a/helm/tools/grafana-mcp/templates/deployment.yaml b/helm/tools/grafana-mcp/templates/deployment.yaml
@@ -48,8 +48,10 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "grafana-mcp.fullname" . }}
+            {{- if or .Values.grafana.secretRef .Values.grafana.serviceAccountToken .Values.grafana.apiKey }}
             - secretRef:
-                name: {{ include "grafana-mcp.fullname" . }}
+                name: {{ .Values.grafana.secretRef | default (include "grafana-mcp.fullname" .) | quote }}
+            {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}
diff --git a/helm/tools/grafana-mcp/templates/secret.yaml b/helm/tools/grafana-mcp/templates/secret.yaml
@@ -1,7 +1,8 @@
+{{- if or .Values.grafana.serviceAccountToken .Values.grafana.apiKey }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "grafana-mcp.fullname" . }}
+  name: {{ .Values.grafana.secretRef | default (include "grafana-mcp.fullname" .) | quote }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "grafana-mcp.labels" . | nindent 4 }}
@@ -13,3 +14,4 @@ data:
   {{- if and .Values.grafana.apiKey (not .Values.grafana.serviceAccountToken) }}
   GRAFANA_API_KEY: {{ .Values.grafana.apiKey | b64enc }}
   {{- end }}
+{{- end }}
diff --git a/helm/tools/grafana-mcp/values.yaml b/helm/tools/grafana-mcp/values.yaml
@@ -3,7 +3,8 @@ replicas: 1
 grafana:
   url: "grafana.kagent:3000/api"
   serviceAccountToken: ""
-  apiKey: "" # Deprecated - use serviceAccountToken instead.
+  # apiKey: "" # Deprecated - use serviceAccountToken instead.
+  # secretRef: ""  # Name of Secret to reference (contains GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY)
 
 image:
   registry: mcp
