# services/monitoring/grafana-user-dedupe-job.yaml apiVersion: batch/v1 kind: Job metadata: name: grafana-user-dedupe-api namespace: monitoring annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "monitoring" vault.hashicorp.com/agent-inject-secret-grafana-env.sh: "kv/data/atlas/monitoring/grafana-admin" vault.hashicorp.com/agent-inject-template-grafana-env.sh: | {{ with secret "kv/data/atlas/monitoring/grafana-admin" }} export GRAFANA_USER="{{ index .Data.data "admin-user" }}" export GRAFANA_PASSWORD="{{ index .Data.data "admin-password" }}" {{ end }} spec: backoffLimit: 1 template: spec: restartPolicy: Never containers: - name: dedupe image: alpine:3.20 command: - /bin/sh - -c args: - | set -euo pipefail apk add --no-cache curl jq . /vault/secrets/grafana-env.sh grafana_url="${GRAFANA_URL}" if [ -z "${grafana_url}" ]; then echo "GRAFANA_URL is required" exit 1 fi if [ -z "${GRAFANA_USER}" ] || [ -z "${GRAFANA_PASSWORD}" ]; then echo "Grafana admin credentials missing" exit 1 fi if [ -z "${GRAFANA_DEDUPE_EMAILS}" ]; then echo "GRAFANA_DEDUPE_EMAILS is required" exit 1 fi for email in $(echo "${GRAFANA_DEDUPE_EMAILS}" | tr ',' ' '); do user_id="$(curl -sf -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \ "${grafana_url}/api/users/lookup?loginOrEmail=${email}" | jq -r '.id // empty')" if [ -z "$user_id" ]; then echo "no grafana user found for ${email}" continue fi echo "deleting grafana user ${user_id} (${email})" curl -sf -X DELETE -u "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \ "${grafana_url}/api/admin/users/${user_id}" done echo "done" env: - name: GRAFANA_URL value: http://grafana - name: GRAFANA_DEDUPE_EMAILS value: brad.stein@gmail.com,brad@bstein.dev