grafana
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/v1beta1/grafana_types.go
Lines changed: 108 additions & 19 deletions b/‎api/v1beta1/grafana_types.go
Lines changed: 108 additions & 19 deletions
diff --git a/‎api/v1beta1/zz_generated.deepcopy.go
Lines changed: 110 additions & 0 deletions b/‎api/v1beta1/zz_generated.deepcopy.go
Lines changed: 110 additions & 0 deletions
@@ -26,6 +26,7 @@ vendor
 *~
 
 .vscode/
+.mirrord/
 .DS_Store
 
 # Audit lab
 
@@ -26,15 +26,16 @@ type OperatorStageName string
 type OperatorStageStatus string
 
 const (
-	OperatorStageGrafanaConfig  OperatorStageName = "config"
-	OperatorStageAdminUser      OperatorStageName = "admin user"
-	OperatorStagePvc            OperatorStageName = "pvc"
-	OperatorStageServiceAccount OperatorStageName = "service account"
-	OperatorStageService        OperatorStageName = "service"
-	OperatorStageIngress        OperatorStageName = "ingress"
-	OperatorStagePlugins        OperatorStageName = "plugins"
-	OperatorStageDeployment     OperatorStageName = "deployment"
-	OperatorStageComplete       OperatorStageName = "complete"
+	OperatorStageGrafanaConfig          OperatorStageName = "config"
+	OperatorStageAdminUser              OperatorStageName = "admin user"
+	OperatorStagePvc                    OperatorStageName = "pvc"
+	OperatorStageServiceAccount         OperatorStageName = "service account"
+	OperatorStageService                OperatorStageName = "service"
+	OperatorStageIngress                OperatorStageName = "ingress"
+	OperatorStagePlugins                OperatorStageName = "plugins"
+	OperatorStageDeployment             OperatorStageName = "deployment"
+	OperatorStageGrafanaServiceAccounts OperatorStageName = "grafana service-accounts"
+	OperatorStageComplete               OperatorStageName = "complete"
 )
 
 const (
@@ -52,6 +53,64 @@ type OperatorReconcileVars struct {
 	Plugins string
 }
 
+// GrafanaServiceAccountTokenSpec describes a token to create.
+type GrafanaServiceAccountTokenSpec struct {
+	// Name is the name of the Kubernetes Secret (and token identifier in Grafana). The secret will contain the token value.
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// Expires is the optional expiration time for the token. After this time, the operator may rotate the token.
+	// +kubebuilder:validation:Optional
+	Expires *metav1.Time `json:"expires,omitempty"`
+}
+
+// GrafanaServiceAccountPermissionSpec defines a permission grant for a user or team.
+// +kubebuilder:validation:XValidation:rule="(has(self.user) && self.user != '') || (has(self.team) && self.team != '')",message="one of user or team must be set"
+// +kubebuilder:validation:XValidation:rule="!((has(self.user) && self.user != '') && (has(self.team) && self.team != ''))",message="user and team cannot both be set"
+type GrafanaServiceAccountPermissionSpec struct {
+	// User login or email to grant permissions to (optional).
+	// +kubebuilder:validation:Optional
+	User string `json:"user,omitempty"`
+
+	// Team name to grant permissions to (optional).
+	// +kubebuilder:validation:Optional
+	Team string `json:"team,omitempty"`
+
+	// Permission level: Edit or Admin.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=Edit;Admin
+	Permission string `json:"permission"`
+}
+
+// GrafanaServiceAccountSpec defines the desired state of a GrafanaServiceAccount.
+type GrafanaServiceAccountSpec struct {
+	// Name is the desired name of the service account in Grafana.
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// Role is the Grafana role for the service account (Viewer, Editor, Admin).
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=Viewer;Editor;Admin
+	Role string `json:"role"`
+
+	// IsDisabled indicates if the service account should be disabled in Grafana.
+	// +kubebuilder:validation:Optional
+	IsDisabled bool `json:"isDisabled,omitempty"`
+
+	// Tokens defines API tokens to create for this service account. Each token will be stored in a Kubernetes Secret with the given name.
+	// +kubebuilder:validation:Optional
+	Tokens []GrafanaServiceAccountTokenSpec `json:"tokens,omitempty"`
+
+	// Permissions specifies additional Grafana permission grants for existing users or teams on this service account.
+	// +kubebuilder:validation:Optional
+	Permissions []GrafanaServiceAccountPermissionSpec `json:"permissions,omitempty"`
+
+	// GenerateTokenSecret, if true, will create one default API token in a Secret if no Tokens are specified.
+	// If false, no token is created unless explicitly listed in Tokens.
+	// +kubebuilder:default=true
+	GenerateTokenSecret bool `json:"generateTokenSecret,omitempty"`
+}
+
 // GrafanaSpec defines the desired state of Grafana
 type GrafanaSpec struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
@@ -80,6 +139,8 @@ type GrafanaSpec struct {
 	Preferences *GrafanaPreferences `json:"preferences,omitempty"`
 	// DisableDefaultAdminSecret prevents operator from creating default admin-credentials secret
 	DisableDefaultAdminSecret bool `json:"disableDefaultAdminSecret,omitempty"`
+	// Grafana Service Accounts
+	GrafanaServiceAccounts []GrafanaServiceAccountSpec `json:"grafanaServiceAccounts,omitempty"`
 }
 
 type External struct {
@@ -131,18 +192,45 @@ type GrafanaPreferences struct {
 	HomeDashboardUID string `json:"homeDashboardUid,omitempty"`
 }
 
+// GrafanaServiceAccountTokenStatus describes a token created in Grafana.
+type GrafanaServiceAccountTokenStatus struct {
+	// Name is the name of the Kubernetes Secret. The secret will contain the token value.
+	Name string `json:"name"`
+
+	// ID is the Grafana-assigned ID of the token.
+	ID int64 `json:"tokenId"`
+
+	// SecretName is the name of the Kubernetes Secret that stores the actual token value.
+	// This may seem redundant if the Secret name usually matches the token's Name,
+	// but it's stored explicitly in Status for clarity and future flexibility.
+	SecretName string `json:"secretName"`
+}
+
+// GrafanaServiceAccountStatus holds status for one Grafana instance.
+type GrafanaServiceAccountStatus struct {
+	// Name is the name of the service account in Grafana.
+	Name string `json:"name"`
+
+	// ID is the numeric ID of the service account in this Grafana.
+	ID int64 `json:"serviceAccountID"`
+
+	// Tokens is the status of tokens for this service account in Grafana.
+	Tokens []GrafanaServiceAccountTokenStatus `json:"tokens,omitempty"`
+}
+
 // GrafanaStatus defines the observed state of Grafana
 type GrafanaStatus struct {
-	Stage         OperatorStageName      `json:"stage,omitempty"`
-	StageStatus   OperatorStageStatus    `json:"stageStatus,omitempty"`
-	LastMessage   string                 `json:"lastMessage,omitempty"`
-	AdminURL      string                 `json:"adminUrl,omitempty"`
-	ContactPoints NamespacedResourceList `json:"contactPoints,omitempty"`
-	Dashboards    NamespacedResourceList `json:"dashboards,omitempty"`
-	Datasources   NamespacedResourceList `json:"datasources,omitempty"`
-	Folders       NamespacedResourceList `json:"folders,omitempty"`
-	LibraryPanels NamespacedResourceList `json:"libraryPanels,omitempty"`
-	Version       string                 `json:"version,omitempty"`
+	Stage                  OperatorStageName             `json:"stage,omitempty"`
+	StageStatus            OperatorStageStatus           `json:"stageStatus,omitempty"`
+	LastMessage            string                        `json:"lastMessage,omitempty"`
+	AdminURL               string                        `json:"adminUrl,omitempty"`
+	ContactPoints          NamespacedResourceList        `json:"contactPoints,omitempty"`
+	Dashboards             NamespacedResourceList        `json:"dashboards,omitempty"`
+	Datasources            NamespacedResourceList        `json:"datasources,omitempty"`
+	Folders                NamespacedResourceList        `json:"folders,omitempty"`
+	LibraryPanels          NamespacedResourceList        `json:"libraryPanels,omitempty"`
+	GrafanaServiceAccounts []GrafanaServiceAccountStatus `json:"serviceAccounts,omitempty"`
+	Version                string                        `json:"version,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -153,6 +241,7 @@ type GrafanaStatus struct {
 // +kubebuilder:printcolumn:name="Stage",type="string",JSONPath=".status.stage",description=""
 // +kubebuilder:printcolumn:name="Stage status",type="string",JSONPath=".status.stageStatus",description=""
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="ServiceAccounts",type=string,JSONPath=`.status.serviceAccounts[*].name`
 // +kubebuilder:resource:categories={grafana-operator}
 type Grafana struct {
 	metav1.TypeMeta   `json:",inline"`