From 8e26863e033b6669148a764bef6d027cfa516d85 Mon Sep 17 00:00:00 2001 From: Lokesh Muvva Date: Tue, 2 Jun 2026 16:03:11 -0700 Subject: [PATCH 1/3] feat: add configurable admin credentials to Grafana Cloud Run module The Grafana Cloud Run module set no admin env vars, so the admin password came solely from the value baked into the container image, leaving no way to override it at deploy time. Add grafana_admin_user / grafana_admin_password variables (defaulting to admin to preserve current behavior; password marked sensitive) and wire them to GF_SECURITY_ADMIN_USER / GF_SECURITY_ADMIN_PASSWORD. A Cloud Run container env var overrides the image's baked-in ENV, which sets up removing the hardcoded credentials from the Dockerfile. --- .../modules/grafana/cloud/gcp/cloud_run/main.tf | 8 ++++++++ .../grafana/cloud/gcp/cloud_run/variables.tf | 13 +++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/main.tf b/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/main.tf index 440001a..f5fd44c 100644 --- a/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/main.tf +++ b/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/main.tf @@ -48,6 +48,14 @@ resource "google_cloud_run_service" "grafana" { name = "GF_SERVER_HTTP_PORT" value = "8080" } + env { + name = "GF_SECURITY_ADMIN_USER" + value = var.grafana_admin_user + } + env { + name = "GF_SECURITY_ADMIN_PASSWORD" + value = var.grafana_admin_password + } } } } diff --git a/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/variables.tf b/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/variables.tf index 5db3fbb..0206415 100644 --- a/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/variables.tf +++ b/src/deployml/terraform/modules/grafana/cloud/gcp/cloud_run/variables.tf @@ -52,4 +52,17 @@ variable "cloudsql_instance_annotation" { type = string description = "Cloud SQL instance connection annotation" default = "" +} + +variable "grafana_admin_user" { + type = string + description = "Admin username for Grafana" + default = "admin" +} + +variable "grafana_admin_password" { + type = string + description = "Admin password for Grafana" + default = "admin" + sensitive = true } \ No newline at end of file From 224e06a2a350a934c0db03ee78fefcd18bfe902f Mon Sep 17 00:00:00 2001 From: Lokesh Muvva Date: Tue, 2 Jun 2026 16:26:02 -0700 Subject: [PATCH 2/3] feat: pass admin credentials from stack config to Grafana Cloud Run module The Cloud Run main templates invoked the Grafana module without forwarding any admin credentials, so the module inputs added in the previous commit were unreachable from a user's stack config. Forward grafana_admin_user / grafana_admin_password from the grafana tool's params (defaulting to admin) in both main.tf.j2 and mlflow_main.tf.j2. Verified by rendering the documented MLflow+Grafana stack: it emits a single Grafana module with the credentials applied, and a custom password in config passes through. --- src/deployml/templates/gcp/cloud_run/main.tf.j2 | 2 ++ src/deployml/templates/gcp/cloud_run/mlflow_main.tf.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/deployml/templates/gcp/cloud_run/main.tf.j2 b/src/deployml/templates/gcp/cloud_run/main.tf.j2 index 45bd45c..6d87abe 100644 --- a/src/deployml/templates/gcp/cloud_run/main.tf.j2 +++ b/src/deployml/templates/gcp/cloud_run/main.tf.j2 @@ -201,6 +201,8 @@ module "{{ stage_name }}_{{ tool.name }}" { cpu_limit = var.cpu_limit memory_limit = var.memory_limit allow_public_access = var.allow_public_access + grafana_admin_user = "{{ tool.params.get('grafana_admin_user', 'admin') }}" + grafana_admin_password = "{{ tool.params.get('grafana_admin_password', 'admin') }}" {% if flags.needs_postgres %} metrics_connection_string = module.cloud_sql_postgres.grafana_connection_string_cloud_sql use_metrics_database = true diff --git a/src/deployml/templates/gcp/cloud_run/mlflow_main.tf.j2 b/src/deployml/templates/gcp/cloud_run/mlflow_main.tf.j2 index 8302530..13c1c66 100644 --- a/src/deployml/templates/gcp/cloud_run/mlflow_main.tf.j2 +++ b/src/deployml/templates/gcp/cloud_run/mlflow_main.tf.j2 @@ -280,6 +280,8 @@ module "{{ stage_name }}_{{ tool.name }}" { cpu_limit = var.cpu_limit memory_limit = var.memory_limit allow_public_access = var.allow_public_access + grafana_admin_user = "{{ tool.params.get('grafana_admin_user', 'admin') }}" + grafana_admin_password = "{{ tool.params.get('grafana_admin_password', 'admin') }}" {% if flags.needs_postgres %} metrics_connection_string = module.cloud_sql_postgres.grafana_connection_string_cloud_sql use_metrics_database = true From c37b2d37a97afed6386335fa4aba89649210dc92 Mon Sep 17 00:00:00 2001 From: Lokesh Muvva Date: Tue, 2 Jun 2026 16:28:15 -0700 Subject: [PATCH 3/3] fix: stop baking admin credentials into the Grafana image The Grafana image set GF_SECURITY_ADMIN_USER / GF_SECURITY_ADMIN_PASSWORD to admin via ENV, embedding a credential in a readable image layer (visible through docker history). With the Cloud Run module and templates now supplying these at deploy time, the baked values are redundant. Remove them. Behavior is unchanged: deployed services get their credentials from Terraform, and a standalone container falls back to Grafana's own admin default, so the documented login still holds. GF_SERVER_HTTP_PORT is kept as it is non-secret port configuration. --- src/deployml/docker/grafana-container/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/deployml/docker/grafana-container/Dockerfile b/src/deployml/docker/grafana-container/Dockerfile index 5ba6664..da429d0 100644 --- a/src/deployml/docker/grafana-container/Dockerfile +++ b/src/deployml/docker/grafana-container/Dockerfile @@ -4,9 +4,7 @@ FROM grafana/grafana:10.4.5 USER root # Configure Grafana to listen on Cloud Run's expected port -ENV GF_SERVER_HTTP_PORT=8080 \ - GF_SECURITY_ADMIN_USER=admin \ - GF_SECURITY_ADMIN_PASSWORD=admin +ENV GF_SERVER_HTTP_PORT=8080 # Copy entrypoint script and set permissions COPY entrypoint.sh /usr/local/bin/entrypoint.sh