monitoring: dedupe grafana user via api

2026-01-21 12:11:28 -03:00 · 2026-01-21 12:11:28 -03:00 · a0caeb407c
commit a0caeb407c
parent 6eeb551239
1 changed files with 27 additions and 17 deletions
--- a/services/monitoring/grafana-user-dedupe-job.yaml
+++ b/services/monitoring/grafana-user-dedupe-job.yaml
@ -2,8 +2,17 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: grafana-user-dedupe
+  name: grafana-user-dedupe-api
  namespace: monitoring
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "monitoring"
+    vault.hashicorp.com/agent-inject-secret-grafana-env.sh: "kv/data/atlas/monitoring/grafana-admin"
+    vault.hashicorp.com/agent-inject-template-grafana-env.sh: |
+      {{ with secret "kv/data/atlas/monitoring/grafana-admin" }}
+      export GRAFANA_USER="{{ index .Data.data "admin-user" }}"
+      export GRAFANA_PASSWORD="{{ index .Data.data "admin-password" }}"
+      {{ end }}
 spec:
  backoffLimit: 1
  template:
@ -18,10 +27,15 @@ spec:
          args:
            - |
              set -euo pipefail
-              apk add --no-cache sqlite
-              db="/var/lib/grafana/grafana.db"
-              if [ ! -f "$db" ]; then
-                echo "grafana db not found at $db"
+              apk add --no-cache curl jq
+              . /vault/secrets/grafana-env.sh
+              grafana_url="${GRAFANA_URL}"
+              if [ -z "${grafana_url}" ]; then
+                echo "GRAFANA_URL is required"
+                exit 1
+              fi
+              if [ -z "${GRAFANA_USER}" ] || [ -z "${GRAFANA_PASSWORD}" ]; then
+                echo "Grafana admin credentials missing"
                exit 1
              fi
              if [ -z "${GRAFANA_DEDUPE_EMAILS}" ]; then
@ -29,23 +43,19 @@ spec:
                exit 1
              fi
              for email in $(echo "${GRAFANA_DEDUPE_EMAILS}" | tr ',' ' '); do
-                ids="$(sqlite3 "$db" "select id from user where email = '${email}';")"
-                if [ -z "$ids" ]; then
+                user_id="$(curl -sf -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
+                  "${grafana_url}/api/users/lookup?loginOrEmail=${email}" | jq -r '.id // empty')"
+                if [ -z "$user_id" ]; then
                  echo "no grafana user found for ${email}"
                  continue
                fi
-                echo "deleting grafana users with ids: ${ids}"
-                sqlite3 "$db" "delete from user_auth where user_id in (${ids});"
-                sqlite3 "$db" "delete from user where id in (${ids});"
+                echo "deleting grafana user ${user_id} (${email})"
+                curl -sf -X DELETE -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
+                  "${grafana_url}/api/admin/users/${user_id}"
              done
              echo "done"
          env:
+            - name: GRAFANA_URL
+              value: http://grafana
            - name: GRAFANA_DEDUPE_EMAILS
              value: brad.stein@gmail.com,brad@bstein.dev
-          volumeMounts:
-            - name: grafana-storage
-              mountPath: /var/lib/grafana
-      volumes:
-        - name: grafana-storage
-          persistentVolumeClaim:
-            claimName: grafana