From d879d2a368a644dc8b9759050f89a9b77e4bece4 Mon Sep 17 00:00:00 2001
From: Matthias Hinrichs <matthias.hinrichs@sbb.ch>
Date: Fri, 16 Jan 2026 11:45:21 +0100
Subject: [PATCH] =?UTF-8?q?F=C3=BCge=20OAuth-Client-Secret=20f=C3=BCr=20Gr?=
 =?UTF-8?q?afana=20hinzu=20und=20erstelle=20PhaseSecret=20f=C3=BCr=20gehei?=
 =?UTF-8?q?me=20Daten?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../templates/kube-prometheus-stack.yaml      | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml b/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml
index b47fb73..e5db9a1 100644
--- a/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml
+++ b/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml
@@ -17,6 +17,11 @@ spec:
     helm:
         values: |
           grafana:
+            envValueFrom:
+              GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
+                secretKeyRef:
+                  name: kube-prometheus-secret
+                  key: GENERIC_OAUTH_CLIENT_SECRET
             grafana.ini:
               server:
                 root_url: https://grafana.k8s.hnrx.net
@@ -26,7 +31,6 @@ spec:
                 allow_sign_up: true
                 auto_login: false # Auf true setzen, wenn das Standard-Login-Formular übersprungen werden soll
                 client_id: "4JtTfw2apna4ZnnXgPH6mnDfLCPoW6qy5fXiC03z"
-                client_secret: "MI7Fsw22Fl6ruiOhG3Z55F1QhuMoQKzF2GR3qGO3x41encrmubcGeqJc0JpQIKEFiVIUiNXQkQU0FGiaTshEZx5HK8qzPBMz8VbR2gGmcNy7szHkTrBfNsosHDFndvWi" # Am besten via Secret einbinden (siehe unten)
                 scopes: "openid profile email"
                 auth_url: "https://auth.hnrx.net/application/o/authorize/"
                 token_url: "https://auth.hnrx.net/application/o/token/"
@@ -126,4 +130,23 @@ spec:
             value: /
       backendRefs:
         - name: alertmanager-operated
-          port: 9093
\ No newline at end of file
+          port: 9093
+---
+apiVersion: secrets.phase.dev/v1alpha1
+kind: PhaseSecret
+metadata:
+  name: kube-prometheus-secret
+  namespace: kube-prometheus-stack
+spec:
+  phaseApp: 'prometheus-stack' # The name of your Phase application
+  phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from
+  phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from
+  phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance
+  authentication:
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application
+        secretNamespace: 'default'
+  managedSecretReferences:
+    - secretName: 'kube-prometheus-secret' # Name of the Kubernetes managed secret that Phase will sync
+      secretNamespace: 'kube-prometheus-stack'
\ No newline at end of file