I was trying to login to Grafana deployed using https://prometheus-community.github.io/helm-charts using the credentials admin:admin but it was failing.
I found out the correct credentials to login to Grafana from the secret grafana which is admin:prom-operator
To see from where this value is getting injected to the secret I went to the template files and values.yaml files available at https://github.com/grafana/helm-charts/tree/main/charts/grafana
The secret files is written as:
{{- if or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret)) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "grafana.fullname" . }}
namespace: {{ include "grafana.namespace" . }}
labels:
{{- include "grafana.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }}
admin-user: {{ .Values.adminUser | b64enc | quote }}
{{- if .Values.adminPassword }}
admin-password: {{ .Values.adminPassword | b64enc | quote }}
{{- else }}
admin-password: {{ include "grafana.password" . }}
{{- end }}
{{- end }}
{{- if not .Values.ldap.existingSecret }}
ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }}
{{- end }}
{{- end }}
and part of the values.yaml file is written as
# Administrator credentials when not using an existing secret (see below)
adminUser: admin
# adminPassword: strongpassword
# Use an existing secret for the admin user.
admin:
## Name of the secret. Can be templated.
existingSecret: ""
userKey: admin-user
passwordKey: admin-password
and the _helpers.tml contains
{{/*
Looks if there's an existing secret and reuse its password. If not it generates
new password and use it.
*/}}
{{- define "grafana.password" -}}
{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) }}
{{- if $secret }}
{{- index $secret "data" "admin-password" }}
{{- else }}
{{- (randAlphaNum 40) | b64enc | quote }}
{{- end }}
{{- end }}
which looks to me like the admin-password value is coming from the secret as it's not a random alphanumeric. This seems like a loop to me. Could you please explain to me how the default password value prom-operator is getting injected to the secret in the key admin-password?
tl;dr: Value is set in kube-prometheus-stack values as grafana.adminPassword and passed to grafana subchart
kube-prometheus-stack uses the the grafana chart as a depencency, so you have to take a look at both those values.yaml files.
In kube-prometheus-stack, there's a value for grafana.adminPassword set per default:
This is passed down to grafana where it's referenced as .Values.adminPassword (see https://helm.sh/docs/chart_template_guide/subcharts_and_globals/#overriding-values-from-a-parent-chart)
The grafana chart prefers this value over generating a random password with the helper block you listed. As it is passed from the parent chart kube-prometheus-stack and not empty, this value is used.
{{- if .Values.adminPassword }}
admin-password: {{ .Values.adminPassword | b64enc | quote }}
{{- else }}
admin-password: {{ include "grafana.password" . }}
{{- end }}