[ci skip] Remove Authentik forward auth from Grafana, add admin password management

Fixes HA mobile app 403 when embedding Grafana dashboards - the webview blocks third-party cookies needed by Authentik forward auth. Grafana already has anonymous Viewer access enabled, so forward auth is not needed. Also adds grafana_admin_password variable and explicit resource limits to prevent ResourceQuota issues during rolling updates.
2026-02-18 21:40:32 +00:00 · 2026-02-18 21:40:32 +00:00 · 9889728c49
commit 9889728c49
parent 41d3358cc1
5 changed files with 28 additions and 14 deletions
--- a/modules/kubernetes/monitoring/grafana_chart_values.yaml
+++ b/modules/kubernetes/monitoring/grafana_chart_values.yaml
@ -1,6 +1,14 @@
 deploymentStrategy:
  type: RollingUpdate
 replicas: 3
+adminPassword: "${grafana_admin_password}"
+resources:
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
 persistence:
  enabled: false # using external mysql
  existingClaim: "grafana-pvc"
@ -8,7 +16,7 @@ ingress:
  enabled: "true"
  ingressClassName: "traefik"
  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
  tls:
    - secretName: "tls-secret"