apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: authentik-read-grafana-secret
  namespace: monitoring # The namespace where the secret exists
  labels:
    app.kubernetes.io/part-of: authentik
    app.kubernetes.io/managed-by: helm
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: grafana-sso
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["authentik-client-secret-grafana"] # Grant access only to this specific secret
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: authentik-read-grafana-secret-binding
  namespace: monitoring # The namespace where the secret and role exist
  labels:
    app.kubernetes.io/part-of: authentik
    app.kubernetes.io/managed-by: helm
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: grafana-sso
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: authentik-read-grafana-secret
subjects:
- kind: ServiceAccount
  name: {{ include "authentik.fullname" . }} # The service account used by Authentik
  namespace: {{ .Release.Namespace }} # The namespace where Authentik is running