Skip to content

feat(helm): add service account token support for grafana-mcp #1187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EItanya merged 1 commit into from
Jan 7, 2026
Merged

feat(helm): add service account token support for grafana-mcp #1187

EItanya merged 1 commit into from
Jan 7, 2026
+8 −2

Conversation

@TOMOFUMI-KONDO
Copy link
Contributor

@TOMOFUMI-KONDO TOMOFUMI-KONDO commented Jan 7, 2026
edited
Loading

Overview

Add support for Grafana service account token authentication in the grafana-mcp Helm chart.

API keys are deprecated in Grafana and will be removed in a future release. Service account tokens are the recommended authentication method.

Changes

  • Add serviceAccountToken option to values.yaml
  • Mark apiKey as deprecated in values.yaml
  • Update secret.yaml template

About Backward Compatibility

This change modifies the behavior of GRAFANA_API_KEY environment variable rendering:

Condition Before After
grafana.apiKey is not set GRAFANA_API_KEY: "-" Not rendered
grafana.apiKey is set GRAFANA_API_KEY: <value> GRAFANA_API_KEY: <value>

I think this is functionally equivalent because the placeholder value "-" is not a valid API key and would not work for authentication.

@TOMOFUMI-KONDO
feat(helm): add service account token support for grafana-mcp
d489939 
Add grafana.serviceAccountToken option to enable authentication
using Grafana service account tokens as an alternative to API keys.
Both GRAFANA_API_KEY and GRAFANA_SERVICE_ACCOUNT_TOKEN environment
variables are now conditionally rendered based on value setting.

Signed-off-by: TOMOFUMI-KONDO <ugax2kontomo0314@gmail.com>
Copilot AI review requested due to automatic review settings January 7, 2026 01:53
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for Grafana service account token authentication to the grafana-mcp Helm chart, aligning with Grafana's recommendation to migrate away from deprecated API keys. The implementation allows users to specify a service account token while maintaining backward compatibility with the existing API key method.

Key Changes

  • Added serviceAccountToken configuration option to values.yaml
  • Updated secret template to conditionally include service account token or API key based on configuration
  • Deprecated the apiKey field with an inline comment

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
helm/tools/grafana-mcp/values.yaml Adds serviceAccountToken field and marks apiKey as deprecated
helm/tools/grafana-mcp/templates/secret.yaml Updates secret generation to support both authentication methods with conditional logic

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

helm/tools/grafana-mcp/templates/secret.yaml
Comment on lines +13 to +15
{{- if and .Values.grafana.apiKey (not .Values.grafana.serviceAccountToken) }}
GRAFANA_API_KEY: {{ .Values.grafana.apiKey | b64enc }}
{{- end }}
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The conditional logic allows both authentication methods to be silently ignored if both are empty strings. This could lead to a deployment with no authentication configured. Consider adding validation to ensure at least one authentication method is provided, or document this behavior clearly.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@TOMOFUMI-KONDO TOMOFUMI-KONDO Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding validation is not scoped in this PR.

helm/tools/grafana-mcp/values.yaml
url: "grafana.kagent:3000/api"
apiKey: "-"
serviceAccountToken: ""
apiKey: "" # Deprecated - use serviceAccountToken instead.
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value changed from '-' to an empty string. If '-' was a sentinel value used elsewhere in the templates or by consumers, this could be a breaking change. Consider documenting this change in the PR description or maintaining the '-' default for backward compatibility.

Suggested change
apiKey: "" # Deprecated - use serviceAccountToken instead.
apiKey: "-" # Deprecated - use serviceAccountToken instead.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@TOMOFUMI-KONDO TOMOFUMI-KONDO Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the backward compatibility description in PR.

@EItanya EItanya merged commit 9e9ca6d into kagent-dev:main Jan 7, 2026
18 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jan 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EItanya EItanya EItanya approved these changes

@ilackarms ilackarms Awaiting requested review from ilackarms ilackarms is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TOMOFUMI-KONDO @EItanya