[kube-prometheus-stack] Fix insecure default password in grafana (#5679)

Co-authored-by: Jan-Otto Kröpke <[email protected]>
Co-authored-by: Quentin Bisson <[email protected]>

Author: 3 people

charts/kube-prometheus-stack/Chart.yaml

@@ -31,7 +31,7 @@ name: kube-prometheus-stack
 sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
-version: 78.5.0
+version: 79.0.0
 # renovate: github=prometheus-operator/prometheus-operator
 appVersion: v0.86.1
 kubeVersion: ">=1.25.0-0"

charts/kube-prometheus-stack/UPGRADE.md

@@ -1,5 +1,10 @@
 # Upgrade
 
+## From 78.x to 79.x
+
+This version removes the default password for the grafana administrator, that in previous versions was set as `prom-operator`.
+For users that do not explicitly set an admin password, the value will now be generated randomly. Grafana offers detailed documentation on [how to read the default password](https://grafana.com/docs/grafana/latest/setup-grafana/installation/helm/#access-grafana) from the autogenerated kubernetes secret.
+
 ## From 77.x to 78.x
 
 This version upgrades Prometheus-Operator to v0.86.0

charts/kube-prometheus-stack/templates/NOTES.txt

@@ -10,4 +10,9 @@ Access Grafana local instance:
   export POD_NAME=$(kubectl --namespace {{ template "kube-prometheus-stack.namespace" . }} get pod -l "app.kubernetes.io/name={{ default "grafana" .Values.grafana.name }},app.kubernetes.io/instance={{ $.Release.Name }}" -oname)
   kubectl --namespace {{ template "kube-prometheus-stack.namespace" . }} port-forward $POD_NAME 3000
 
+Get your grafana admin user password by running:
+
+  kubectl get secret --namespace {{ .Values.grafana.namespaceOverride | default (include "kube-prometheus-stack.namespace" .) }} -l app.kubernetes.io/component=admin-secret -o jsonpath="{.items[0].data.{{ .Values.grafana.admin.passwordKey | default "admin-password" }}}" | base64 --decode ; echo
+
+
 Visit https://github.com/prometheus-operator/kube-prometheus for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator.

charts/kube-prometheus-stack/values.yaml

@@ -1297,8 +1297,16 @@ grafana:
   ##
   defaultDashboardsInterval: 1m
 
+  # Administrator credentials when not using an existing secret (see below)
   adminUser: admin
-  adminPassword: prom-operator
+  # adminPassword: strongpassword
+
+  # Use an existing secret for the admin user.
+  admin:
+    ## Name of the secret. Can be templated.
+    existingSecret: ""
+    userKey: admin-user
+    passwordKey: admin-password
 
   rbac:
     ## If true, Grafana PSPs will be created