Manage Grafana Service Accounts from the Grafana CR

[ndk]

#1469 · feat: declarative Grafana Service Account management

Design proposal: #003

---

Why

The Grafana Operator lets you manage Grafana through Kubernetes CRs, but service accounts were still a manual step (GUI or HTTP API). This PR lets you declare SAs in the Grafana CR so the operator can:

• Manage service accounts in Grafana
• Generate API tokens
• Store each token in a Kubernetes Secret
• Clean everything up when the CR changes or is removed

What's inside

• New field spec.grafanaServiceAccounts in the Grafana CR.
• GrafanaServiceAccountReconciler runs after Grafana is ready.
• Full managing flow for service accounts, tokens, and secrets.
• Operator records managed items in status.serviceAccounts and exposes conditions.
• Chainsaw e2e: tests/e2e/grafanaserviceaccount/chainsaw-test.yaml.

Design notes

• Grafana's API has no labels, so we track ownership only via status.serviceAccounts. User‑managed SAs are never touched.
• Controllers patch the CR's status (no full updates) to lower conflict risk.
• The SA reconciler reads the live CR (not the cached client) to avoid stale reads during fast test loops (WATCH gap issue). This is worth paying close attention to because even though it's a valid way, it seems like "the last resort"

Out of scope (for now)

• Multi‑org support. All calls target the default Grafana org.
• Cross‑namespace Secret writes.
• Automatic token rotation (expires) and Enterprise‑only permission rules.
• Permissions (it's a Enterprise/Cloud only thing).

Known limitations

• If the controller creates an SA but crashes before patching status, the next run will try to create the SA again and hit a 409 conflict.
• Status patching reduces write conflicts, but doesn't eliminate. Using single responsibility approach and/or SSA is a possible future improvement.
• Token secrets are always written to the Grafana namespace.

TODO

• Unit tests for SA reconciler logic.
• Token rotation.
• User docs and sample manifests.
• Feature toggler.
• ServiceAccounts: return 404 when deleting a non‑existent service account grafana#106618
• fix: allow sending isDisabled=false in UpdateServiceAccountForm grafana-openapi-client-go#115

CR example

apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
  name: mygrafana
spec:
  grafanaServiceAccounts:
    accounts:
    - id: myaccount
      name: myaccount
      role: Viewer
      isDisabled: false
      tokens:
      - name: tokena
      - name: tokenb
    - id: myaccount2
      name: myaccount2
      role: Admin
      isDisabled: true
      tokens:
      - name: tokenc
        expires: "2025-12-31T23:59:59Z"
      - name: tokend