feat(helm): add secretRef support for grafana-mcp

[TOMOFUMI-KONDO]

Hello. Thank you for all your mantaining this project.

Overview

Add the ability to reference an existing Secret for grafana-mcp authentication instead of having the chart create new one.

This update improves security because it enables not to expose sensitive credentials in values file or --set option of helm cli or argocd application.

Changes

Add secretRef option to values.yaml

Added secretRef field to both helm/kagent/values.yaml and helm/tools/grafana-mcp/values.yaml to allow users to specify an existing Secret name containing GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY.

Conditionally create Secret and refer it from deployment

Modified helm/tools/grafana-mcp/templates/secret.yaml to create a Secret only when serviceAccountToken or apiKey is provided. This prevents creating an empty Secret when using secretRef.

And also updated helm/tools/grafana-mcp/templates/deployment.yaml to reference the Secret specified by secretRef if provided, otherwise fall back to the chart-generated Secret name.

Behavior change Matrix

Parameter Combination	Before	After
1. Set only serviceAccountToken	Secret created with GRAFANA_SERVICE_ACCOUNT_TOKEN	No change
2. Set only apiKey	Secret created with GRAFANA_API_KEY	No change
3. Set only secretRef	N/A	(recommended) Secret resource not created, existing Secret specified by value is used via envFrom.secretRef
4. Set both of secretRef and serviceAccountToken (or apiKey)	N/A	(unintended misuse) Secret specified by secretRef is referenced from Deployment
5. Default values	Empty Secret creaetd and referenced from Deployment	No change

Remarks

• Existing Secret reference method is carried out with respect for kagent modelconfig-secret pattern.

[Copilot]

Pull request overview

This PR adds support for referencing existing Secrets in the grafana-mcp Helm chart, improving security by allowing users to manage authentication credentials externally rather than exposing them in values files or CLI arguments.

Changes:

• Added secretRef configuration option to allow referencing pre-existing Secrets containing Grafana credentials
• Modified Secret template to conditionally create Secrets only when credentials are directly provided
• Updated deployment template to use either the referenced Secret or the chart-generated Secret name

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
helm/tools/grafana-mcp/values.yaml	Added commented secretRef field and commented out deprecated apiKey field
helm/tools/grafana-mcp/templates/secret.yaml	Added conditional creation of Secret and support for custom Secret names via secretRef
helm/tools/grafana-mcp/templates/deployment.yaml	Added conditional Secret reference in deployment based on credential configuration
helm/kagent/values.yaml	Updated default values to use serviceAccountToken instead of apiKey and added secretRef option

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When secretRef is provided, this template creates a Secret with that name, which could overwrite an existing Secret the user intended to reference. The Secret should only be created with the chart-generated name. If secretRef is specified, this Secret resource should not be created at all.

[TOMOFUMI-KONDO]

secretRef is used in deployment to refer this secret. If secretRef is specified with serviceAccountToken or apiKey, which is unintended misuse, deployment will refer unexisting Secret. To prevent such a trouble, I also setsecretRef to Secret resource.

[EItanya]

So I approved, but I actually do agree with this comment. I agree that the secret should be optionally created, but we need to make sure that the name of this is consistent, this line should be reverted

[TOMOFUMI-KONDO]

I was worried too much about the pattern of setting together the secretRef and either the serviceAccountToken or the apiKey . However, this is a misuse and does not need to be cared for so much.

I simply kept a consistent secret name.

[TOMOFUMI-KONDO]

@EItanya @ilackarms @yuval-k

Hi, just a gentle reminder about this PR.
When you have time, could you please take a look?
Thanks.

[EItanya]

So I actually read through the template changes and I think they need a couple of minor changes

[EItanya]

So I approved, but I actually do agree with this comment. I agree that the secret should be optionally created, but we need to make sure that the name of this is consistent, this line should be reverted

[EItanya]

Isn't this always true? If one of these isn't true than the config is invalid anyway?

[TOMOFUMI-KONDO]

Yes, you are right.
There should always be a secret with some credentials.
This if statement is unnecessary.

[TOMOFUMI-KONDO]

@EItanya
Thank you very much for your review! I have updated the implementation based on your feedback.
Could you please review it again when you have a moment?

[EItanya]

i've rerun the tests just in case, but i think the failure was real

[TOMOFUMI-KONDO]

@EItanya

i've rerun the tests just in case, but i think the failure was real

The issue was that the Secret referenced from Deployment does not exist.
I updated the Secret template so that it would be created if secretRef is not provided, and I confirmed that the test passes.