From c6c8ae54592a3d216e44abc97c4cad3d929c30a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Mon, 10 Nov 2025 17:45:07 +0100
Subject: [PATCH] fix(prom): Only use oidc once and delete github auth

---
 .../prometheus/values/prometheus.yaml.gotmpl  | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/values/prometheus/values/prometheus.yaml.gotmpl b/values/prometheus/values/prometheus.yaml.gotmpl
index ca96cc55..923c395f 100644
--- a/values/prometheus/values/prometheus.yaml.gotmpl
+++ b/values/prometheus/values/prometheus.yaml.gotmpl
@@ -135,32 +135,34 @@ grafana:
       allow_sign_up: true
       role_attribute_strict: false
       allow_assign_grafana_admin: true
-    {{- else if eq .provider "github" }}
-    auth.{{ .provider }}:
-      name: {{ .name }}
-      enabled: true
-      client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
-      client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
-      allowed_organizations: {{ .allowed_organizations }}
-      {{- if .allowed_teams }}
-      allowed_teams: "{{ .allowed_teams }}"
-      {{- end }}
-      scopes: user:email,read:org
-      auth_url: https://github.com/login/oauth/authorize
-      token_url: https://github.com/login/oauth/access_token
-      allow_sign_up: true
-      role_attribute_strict: false
-      allow_assign_grafana_admin: true
+    #{{- else if eq .provider "github" }}
+    #auth.{{ .provider }}:
+    #  name: {{ .name }}
+    #  enabled: true
+    #  client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
+    #  client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
+    #  allowed_organizations: {{ .allowed_organizations }}
+    #  {{- if .allowed_teams }}
+    #  allowed_teams: "{{ .allowed_teams }}"
+    #  {{- end }}
+    #  scopes: user:email,read:org
+    #  auth_url: https://github.com/login/oauth/authorize
+    #  token_url: https://github.com/login/oauth/access_token
+    #  allow_sign_up: true
+    #  role_attribute_strict: false
+    #  allow_assign_grafana_admin: true
     {{- end }}
     {{- end }}
   extraSecretMounts:
   {{- range .Values.clusterConfig.oidc }}
+  {{- if eq .group "analytics" }}
   - name: {{ .name }}
     secretName: {{ .secret_ref.name }}
     defaultMode: 0440
     mountPath: /etc/secrets/oauth/{{ .name }}
     readOnly: true
   {{- end }}
+  {{- end }}
 
   {{- if .Values.prometheus.grafana.persistence }}
   persistence: