From a0caeb407c308e2d3a56a321d5bb2262b7ce6829 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 21 Jan 2026 12:11:28 -0300
Subject: [PATCH] monitoring: dedupe grafana user via api

---
 .../monitoring/grafana-user-dedupe-job.yaml   | 44 ++++++++++++-------
 1 file changed, 27 insertions(+), 17 deletions(-)

diff --git a/services/monitoring/grafana-user-dedupe-job.yaml b/services/monitoring/grafana-user-dedupe-job.yaml
index b633a19..833eb70 100644
--- a/services/monitoring/grafana-user-dedupe-job.yaml
+++ b/services/monitoring/grafana-user-dedupe-job.yaml
@@ -2,8 +2,17 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: grafana-user-dedupe
+  name: grafana-user-dedupe-api
   namespace: monitoring
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "monitoring"
+    vault.hashicorp.com/agent-inject-secret-grafana-env.sh: "kv/data/atlas/monitoring/grafana-admin"
+    vault.hashicorp.com/agent-inject-template-grafana-env.sh: |
+      {{ with secret "kv/data/atlas/monitoring/grafana-admin" }}
+      export GRAFANA_USER="{{ index .Data.data "admin-user" }}"
+      export GRAFANA_PASSWORD="{{ index .Data.data "admin-password" }}"
+      {{ end }}
 spec:
   backoffLimit: 1
   template:
@@ -18,10 +27,15 @@ spec:
           args:
             - |
               set -euo pipefail
-              apk add --no-cache sqlite
-              db="/var/lib/grafana/grafana.db"
-              if [ ! -f "$db" ]; then
-                echo "grafana db not found at $db"
+              apk add --no-cache curl jq
+              . /vault/secrets/grafana-env.sh
+              grafana_url="${GRAFANA_URL}"
+              if [ -z "${grafana_url}" ]; then
+                echo "GRAFANA_URL is required"
+                exit 1
+              fi
+              if [ -z "${GRAFANA_USER}" ] || [ -z "${GRAFANA_PASSWORD}" ]; then
+                echo "Grafana admin credentials missing"
                 exit 1
               fi
               if [ -z "${GRAFANA_DEDUPE_EMAILS}" ]; then
@@ -29,23 +43,19 @@ spec:
                 exit 1
               fi
               for email in $(echo "${GRAFANA_DEDUPE_EMAILS}" | tr ',' ' '); do
-                ids="$(sqlite3 "$db" "select id from user where email = '${email}';")"
-                if [ -z "$ids" ]; then
+                user_id="$(curl -sf -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
+                  "${grafana_url}/api/users/lookup?loginOrEmail=${email}" | jq -r '.id // empty')"
+                if [ -z "$user_id" ]; then
                   echo "no grafana user found for ${email}"
                   continue
                 fi
-                echo "deleting grafana users with ids: ${ids}"
-                sqlite3 "$db" "delete from user_auth where user_id in (${ids});"
-                sqlite3 "$db" "delete from user where id in (${ids});"
+                echo "deleting grafana user ${user_id} (${email})"
+                curl -sf -X DELETE -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
+                  "${grafana_url}/api/admin/users/${user_id}"
               done
               echo "done"
           env:
+            - name: GRAFANA_URL
+              value: http://grafana
             - name: GRAFANA_DEDUPE_EMAILS
               value: brad.stein@gmail.com,brad@bstein.dev
-          volumeMounts:
-            - name: grafana-storage
-              mountPath: /var/lib/grafana
-      volumes:
-        - name: grafana-storage
-          persistentVolumeClaim:
-            claimName: grafana