From e89d48c2a54c270f82d1a6aae1156e63e7514b49 Mon Sep 17 00:00:00 2001
From: Martin McCaffery <martin.mccaffery@think-ahead.tech>
Date: Mon, 1 Jun 2026 13:16:37 +0100
Subject: [PATCH] Upgrade Grafana to 12.4.0 and add auth.jwt config for
 useKubeAuth

---
 .../grafana-operator/manifests/grafana.yaml         | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/otc/observability.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/observability.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml
index 04191f9..8e186c2 100644
--- a/otc/observability.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     dashboards: "grafana"
 spec:
+  version: "12.4.0"
   client:
     useKubeAuth: true
   persistentVolumeClaim:
@@ -39,6 +40,18 @@ spec:
     auth:
       disable_login: "true"
       disable_login_form: "true"
+    auth.jwt:
+      enabled: "true"
+      header_name: Authorization
+      username_claim: sub
+      email_claim: sub
+      auto_sign_up: "true"
+      role_attribute_strict: "true"
+      role_attribute_path: "contains(sub, 'system:serviceaccount:observability:grafana-operator') && 'GrafanaAdmin' || 'None'"
+      jwk_set_url: "https://kubernetes.default.svc:443/openid/v1/jwks"
+      jwk_set_bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      tls_client_ca: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+      expect_claims: '{"aud": ["operator.grafana.com"]}'
     auth.generic_oauth:
       enabled: "true"
       name: Forgejo