monitoring: use python dedupe job

services/monitoring/grafana-user-dedupe-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: grafana-user-dedupe-api
+  name: grafana-user-dedupe-api-v2
   namespace: monitoring
   annotations:
     vault.hashicorp.com/agent-inject: "true"
@@ -20,14 +20,13 @@ spec:
       restartPolicy: Never
       containers:
         - name: dedupe
-          image: alpine:3.20
+          image: python:3.12-slim
           command:
             - /bin/sh
             - -c
           args:
             - |
               set -euo pipefail
-              apk add --no-cache curl jq
               . /vault/secrets/grafana-env.sh
               grafana_url="${GRAFANA_URL}"
               if [ -z "${grafana_url}" ]; then
@@ -42,17 +41,41 @@ spec:
                 echo "GRAFANA_DEDUPE_EMAILS is required"
                 exit 1
               fi
-              for email in $(echo "${GRAFANA_DEDUPE_EMAILS}" | tr ',' ' '); do
+              python - <<'PY'
-                user_id="$(curl -sf -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
+              import base64
-                  "${grafana_url}/api/users/lookup?loginOrEmail=${email}" | jq -r '.id // empty')"
+              import json
-                if [ -z "$user_id" ]; then
+              import os
-                  echo "no grafana user found for ${email}"
+              import urllib.parse
-                  continue
+              import urllib.request
-                fi
+
-                echo "deleting grafana user ${user_id} (${email})"
+              grafana_url = os.environ["GRAFANA_URL"].rstrip("/")
-                curl -sf -X DELETE -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
+              user = os.environ["GRAFANA_USER"]
-                  "${grafana_url}/api/admin/users/${user_id}"
+              password = os.environ["GRAFANA_PASSWORD"]
-              done
+              emails = [e.strip() for e in os.environ["GRAFANA_DEDUPE_EMAILS"].split(",") if e.strip()]
+
+              token = base64.b64encode(f"{user}:{password}".encode("utf-8")).decode("utf-8")
+              headers = {"Authorization": f"Basic {token}"}
+
+              def request(method: str, url: str):
+                  req = urllib.request.Request(url, headers=headers, method=method)
+                  with urllib.request.urlopen(req, timeout=10) as resp:
+                      return resp.read()
+
+              for email in emails:
+                  lookup_url = f"{grafana_url}/api/users/lookup?loginOrEmail={urllib.parse.quote(email)}"
+                  try:
+                      payload = json.loads(request("GET", lookup_url))
+                  except Exception:
+                      print(f"no grafana user found for {email}")
+                      continue
+                  user_id = payload.get("id")
+                  if not user_id:
+                      print(f"no grafana user found for {email}")
+                      continue
+                  print(f"deleting grafana user {user_id} ({email})")
+                  delete_url = f"{grafana_url}/api/admin/users/{user_id}"
+                  request("DELETE", delete_url)
+              PY
               echo "done"
           env:
             - name: GRAFANA_URL