feat(helm): add secretRef support for grafana-mcp

[TOMOFUMI-KONDO]

Hello. Thank you for all your mantaining this project.

Overview

Add the ability to reference an existing Secret for grafana-mcp authentication instead of having the chart create new one.

This update improves security because it enables not to expose sensitive credentials in values file or --set option of helm cli or argocd application.

Changes

Add secretRef option to values.yaml

Added secretRef field to both helm/kagent/values.yaml and helm/tools/grafana-mcp/values.yaml to allow users to specify an existing Secret name containing GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY.

Conditionally create Secret and refer it from deployment

Modified helm/tools/grafana-mcp/templates/secret.yaml to create a Secret only when serviceAccountToken or apiKey is provided. This prevents creating an empty Secret when using secretRef.

And also updated helm/tools/grafana-mcp/templates/deployment.yaml to reference the Secret specified by secretRef if provided, otherwise fall back to the chart-generated Secret name.

If no apiKey and serviceAccountToken are passed, and no secretRef is specified, Secret for grafana-mcp-server is not created and reference with it in deployment disappers to prevent deployment creation failure.

Behavior change Matrix

Parameter Combination	Before	After
1. Use default values	(apiKey="", serviceAccountToken="") Empty Secret will be created	(apiKey="", serviceAccountToken="", secretRef="") Secret not created and envFrom.secretRef in deployment removed
2. Set only serviceAccountToken	Secret created with GRAFANA_SERVICE_ACCOUNT_TOKEN	No change
3. Set only apiKey	Secret created with GRAFANA_API_KEY	No change
4. Set only secretRef	N/A	(recommended) Secret resource not created, existing Secret specified by value is used via envFrom.secretRef
5. Set both of secretRef and serviceAccountToken (or apiKey)	N/A	(unintended misuse) Secret with GRAFANA_SERVICE_ACCOUNT_TOKEN created, and secret name changes to the specified one

Remarks

• Existing Secret reference method is carried out with respect for kagent modelconfig-secret pattern.

[Copilot]

Pull request overview

This PR adds support for referencing existing Secrets in the grafana-mcp Helm chart, improving security by allowing users to manage authentication credentials externally rather than exposing them in values files or CLI arguments.

Changes:

• Added secretRef configuration option to allow referencing pre-existing Secrets containing Grafana credentials
• Modified Secret template to conditionally create Secrets only when credentials are directly provided
• Updated deployment template to use either the referenced Secret or the chart-generated Secret name

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
helm/tools/grafana-mcp/values.yaml	Added commented secretRef field and commented out deprecated apiKey field
helm/tools/grafana-mcp/templates/secret.yaml	Added conditional creation of Secret and support for custom Secret names via secretRef
helm/tools/grafana-mcp/templates/deployment.yaml	Added conditional Secret reference in deployment based on credential configuration
helm/kagent/values.yaml	Updated default values to use serviceAccountToken instead of apiKey and added secretRef option

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The apiKey field should remain uncommented with an empty default value for backward compatibility, similar to serviceAccountToken on line 5. Users relying on this field in their existing configurations may experience breaking changes if it's only available as a comment.

Suggested change

	# apiKey: "" # Deprecated - use serviceAccountToken instead.
	apiKey: "" # Deprecated - use serviceAccountToken instead.

[TOMOFUMI-KONDO]

I follow the pattern of modelconfig-secret, e.x. Values.providers.openAI.apiKey.

[Copilot]

The secretRef field should be uncommented with an empty default value to make it discoverable as a supported configuration option, consistent with how serviceAccountToken is defined on line 5.

Suggested change

	# secretRef: "" # Name of Secret to reference (contains GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY)
	secretRef: "" # Name of Secret to reference (contains GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY)

[TOMOFUMI-KONDO]

I follow the pattern of modelconfig-secret, e.x. Values.providers.openAI.apiKey.

[Copilot]

When secretRef is provided, this template creates a Secret with that name, which could overwrite an existing Secret the user intended to reference. The Secret should only be created with the chart-generated name. If secretRef is specified, this Secret resource should not be created at all.

[TOMOFUMI-KONDO]

secretRef is used in deployment to refer this secret. If secretRef is specified with serviceAccountToken or apiKey, which is unintended misuse, deployment will refer unexisting Secret. To prevent such a trouble, I also setsecretRef to Secret resource.

[Copilot]

These fields should be uncommented with empty default values for consistency with serviceAccountToken on line 352 and to maintain backward compatibility for apiKey.

Suggested change

	# apiKey: "" # Deprecated - use serviceAccountToken instead.
	# secretRef: "" # Name of Secret to reference (contains GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY)
	apiKey: "" # Deprecated - use serviceAccountToken instead.
	secretRef: "" # Name of Secret to reference (contains GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_API_KEY)

[TOMOFUMI-KONDO]

I follow the pattern of modelconfig-secret, e.x. Values.providers.openAI.apiKey.

[TOMOFUMI-KONDO]

@EItanya @ilackarms @yuval-k

Hi, just a gentle reminder about this PR.
When you have time, could you please take a look?
Thanks.