From 95e39306c54ac23fca1c28194c133d91d7e45820 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 3 May 2026 15:27:40 +0000
Subject: [PATCH] fix: seed grafana admin secret during deploy

---
 .gitea/workflows/deploy.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 8d03e12..b4fa059 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -857,6 +857,7 @@ jobs:
       - name: Reconcile observability stack
         env:
           KUBECONFIG: outputs/kubeconfig
+          GRAFANA_ADMIN_PASSWORD: ${{ secrets.GRAFANA_ADMIN_PASSWORD }}
         run: |
           set -euo pipefail
 
@@ -949,14 +950,25 @@ jobs:
           wait_for_grafana_secret() {
             local timeout_seconds="$1"
             local elapsed=0
+            local force_sync
 
             while [ "${elapsed}" -lt "${timeout_seconds}" ]; do
+              force_sync="$(date +%s)"
+              kubectl -n observability annotate externalsecret/grafana-admin external-secrets.io/force-sync="${force_sync}" --overwrite || true
+
+              if [ -n "${GRAFANA_ADMIN_PASSWORD}" ]; then
+                kubectl -n observability create secret generic grafana-admin-credentials \
+                  --from-literal=admin-user=admin \
+                  --from-literal=admin-password="${GRAFANA_ADMIN_PASSWORD}" \
+                  --dry-run=client -o yaml | kubectl apply -f -
+              fi
+
               if kubectl -n observability get secret/grafana-admin-credentials >/dev/null 2>&1; then
                 return 0
               fi
 
               sleep 15
-              elapsed=$((elapsed + 75))
+              elapsed=$((elapsed + 15))
             done
 
             echo "Timed out waiting for Grafana admin ExternalSecret to sync" >&2