Secrets... ugh

kubernetes/apps/observability/grafana/app/externalsecret.yaml

@@ -16,6 +16,14 @@ spec:
       engineVersion: v2
       data:
         GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}"
+        GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
+        GF_SERVER_ROOT_URL: https://grafana.hsn.dev
+        GF_DATABASE_NAME: ${DB_NAME}
+        GF_DATABASE_HOST: "grafana-primary.observability.svc:5432"
+        GF_DATABASE_USER: "{{ .grafana_postgres_user }}"
+        GF_DATABASE_PASSWORD: "{{ .grafana_postgres_password }}"
+        GF_DATABASE_SSL_MODE: disable
+        GF_DATABASE_TYPE: postgres
   dataFrom:
     - extract:
         key: Authentik
@@ -23,3 +31,9 @@ spec:
         - regexp:
             source: "(.*)"
             target: "authentik_$1"
+    - extract:
+        key: grafana
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "grafana_$1"

kubernetes/apps/observability/grafana/app/helmrelease.yaml

@@ -30,21 +30,4 @@ spec:
       namespace: observability
   values:
     replicas: 2
-    env:
-      GF_DATE_FORMATS_USE_BROWSER_LOCALE: true
-      GF_SERVER_ROOT_URL: https://grafana.hsn.dev
-      GF_DATABASE_NAME: ${DB_NAME}
-      GF_DATABASE_HOST: "grafana-primary.observability.svc:5432"
-      GF_DATABASE_USER:
-        valueFrom:
-          secretKeyRef:
-            name: "${APP}-pguser-${DB_USER}"
-            key: user
-      GF_DATABASE_PASSWORD:
-        valueFrom:
-          secretKeyRef:
-            name: "${APP}-pguser-${DB_USER}"
-            key: password
-      GF_DATABASE_SSL_MODE: disable
-      GF_DATABASE_TYPE: postgres
     envFromSecret: grafana-secret