fix(Grafana): .spec.config.security.admin_* as fallback for external instances (#2092)

* fix(Grafana): Authenticate with .spec.config.security.admin_* as fallback

* test: Retrieving Grafana credentials from CR Spec

* chore: remove print statement

---------

Co-authored-by: Igor Beliakov <demtis.register@gmail.com>

Author: Baarsgaard

controllers/client/grafana_client.go

@@ -17,9 +17,42 @@ import (
 )
 
 type grafanaAdminCredentials struct {
-	username string
-	password string
-	apikey   string
+	adminUser     string
+	adminPassword string
+	apikey        string
+}
+
+func getExternalAdminUser(ctx context.Context, c client.Client, cr *v1beta1.Grafana) (string, error) {
+	switch {
+	case cr.Spec.External.AdminUser != nil:
+		adminUser, err := GetValueFromSecretKey(ctx, cr.Spec.External.AdminUser, c, cr.Namespace)
+		if err != nil {
+			return "", err
+		}
+
+		return string(adminUser), nil
+	case cr.Spec.Config["security"] != nil && cr.Spec.Config["security"]["admin_user"] != "":
+		return cr.Spec.Config["security"]["admin_user"], nil
+	default:
+		return "", fmt.Errorf("authentication undefined, set apiKey or userName for external instance: %s/%s", cr.Namespace, cr.Name)
+	}
+}
+
+func getExternalAdminPassword(ctx context.Context, c client.Client, cr *v1beta1.Grafana) (string, error) {
+	switch {
+	case cr.Spec.External.AdminPassword != nil:
+		adminPassword, err := GetValueFromSecretKey(ctx, cr.Spec.External.AdminPassword, c, cr.Namespace)
+		if err != nil {
+			return "", err
+		}
+
+		return string(adminPassword), nil
+	case cr.Spec.Config["security"] != nil && cr.Spec.Config["security"]["admin_password"] != "":
+		return cr.Spec.Config["security"]["admin_password"], nil
+	default:
+		// If username is defined, we can assume apiKey will not be used
+		return "", fmt.Errorf("password not set for external instance: %s/%s", cr.Namespace, cr.Name)
+	}
 }
 
 func getAdminCredentials(ctx context.Context, c client.Client, grafana *v1beta1.Grafana) (*grafanaAdminCredentials, error) {
@@ -38,20 +71,18 @@ func getAdminCredentials(ctx context.Context, c client.Client, grafana *v1beta1.
 			return credentials, nil
 		}
 
-		// rely on username and password otherwise
-		username, err := GetValueFromSecretKey(ctx, grafana.Spec.External.AdminUser, c, grafana.Namespace)
+		var err error
+
+		credentials.adminUser, err = getExternalAdminUser(ctx, c, grafana)
 		if err != nil {
 			return nil, err
 		}
 
-		password, err := GetValueFromSecretKey(ctx, grafana.Spec.External.AdminPassword, c, grafana.Namespace)
+		credentials.adminPassword, err = getExternalAdminPassword(ctx, c, grafana)
 		if err != nil {
 			return nil, err
 		}
 
-		credentials.username = string(username)
-		credentials.password = string(password)
-
 		return credentials, nil
 	}
 
@@ -70,7 +101,7 @@ func getAdminCredentials(ctx context.Context, c client.Client, grafana *v1beta1.
 		for _, env := range container.Env {
 			if env.Name == config.GrafanaAdminUserEnvVar {
 				if env.Value != "" {
-					credentials.username = env.Value
+					credentials.adminUser = env.Value
 					continue
 				}
 
@@ -81,14 +112,14 @@ func getAdminCredentials(ctx context.Context, c client.Client, grafana *v1beta1.
 							return nil, err
 						}
 
-						credentials.username = string(usernameFromSecret)
+						credentials.adminUser = string(usernameFromSecret)
 					}
 				}
 			}
 
 			if env.Name == config.GrafanaAdminPasswordEnvVar {
 				if env.Value != "" {
-					credentials.password = env.Value
+					credentials.adminPassword = env.Value
 					continue
 				}
 
@@ -99,7 +130,7 @@ func getAdminCredentials(ctx context.Context, c client.Client, grafana *v1beta1.
 							return nil, err
 						}
 
-						credentials.password = string(passwordFromSecret)
+						credentials.adminPassword = string(passwordFromSecret)
 					}
 				}
 			}
@@ -118,7 +149,7 @@ func InjectAuthHeaders(ctx context.Context, c client.Client, grafana *v1beta1.Gr
 	if creds.apikey != "" {
 		req.Header.Add("Authorization", "Bearer "+creds.apikey)
 	} else {
-		req.SetBasicAuth(creds.username, creds.password)
+		req.SetBasicAuth(creds.adminUser, creds.adminPassword)
 	}
 
 	return nil
@@ -185,8 +216,8 @@ func NewGeneratedGrafanaClient(ctx context.Context, c client.Client, grafana *v1
 			Timeout:   timeout * time.Second,
 		},
 	}
-	if credentials.username != "" {
-		cfg.BasicAuth = url.UserPassword(credentials.username, credentials.password)
+	if credentials.adminUser != "" {
+		cfg.BasicAuth = url.UserPassword(credentials.adminUser, credentials.adminPassword)
 	}
 
 	cl := genapi.NewHTTPClientWithConfig(nil, cfg)