From 9dfcf158789cfe4c9d418b892df9419ec5857666 Mon Sep 17 00:00:00 2001
From: duynguyen <huonghaiduynhim@gmail.com>
Date: Mon, 13 Apr 2026 00:04:50 +0700
Subject: [PATCH] feat: configure Grafana admin credentials via ExternalSecret
 in kube-prometheus-stack values

---
 manifest/kube-prometheus-stack/values.yaml | 27 ++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/manifest/kube-prometheus-stack/values.yaml b/manifest/kube-prometheus-stack/values.yaml
index 7190077..6dae24c 100644
--- a/manifest/kube-prometheus-stack/values.yaml
+++ b/manifest/kube-prometheus-stack/values.yaml
@@ -1375,7 +1375,7 @@ grafana:
   # Use an existing secret for the admin user.
   admin:
     ## Name of the secret. Can be templated.
-    existingSecret: ""
+    existingSecret: "grafana-admin-secret"
     userKey: admin-user
     passwordKey: admin-password
 
@@ -5620,7 +5620,30 @@ cleanPrometheusOperatorObjectNames: false
 ## Extra manifests to deploy.  Can be of type dict or list.
 ## If dict, keys are ignored and only values are used.
 ## Items contained within extraObjects can be defined as dict or string and are passed through tpl.
-extraManifests: null
+extraManifests:
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: grafana-admin-secret
+      namespace: kube-prometheus-stack
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: grafana-admin-secret
+        creationPolicy: Owner
+        template:
+          engineVersion: v2
+          data:
+            admin-user: "admin"
+            admin-password: "{{ .password }}"
+      data:
+        - secretKey: password
+          remoteRef:
+            key: grafana-admin-password
+            property: password
   # - apiVersion: v1
   #   kind: ConfigMap
   #   metadata: