From 0c09177d087590f3d0b05a01ad12edc890e3237c Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 30 Jan 2026 14:11:29 -0800
Subject: [PATCH] Enable anonymous auth for Grafana iframe embeds

Public dashboards don't support template variables or PostgreSQL
datasources, so anonymous auth is required for Homepage embeds.

Security relies on Tailscale ACLs - see zk grafana card.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/grafana/values.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/argocd/manifests/grafana/values.yaml b/argocd/manifests/grafana/values.yaml
index 976ed5c..3cb4c80 100644
--- a/argocd/manifests/grafana/values.yaml
+++ b/argocd/manifests/grafana/values.yaml
@@ -30,10 +30,12 @@ grafana.ini:
     allow_embedding: true
     # Required for iframe session cookies
     cookie_samesite: lax
-  # Public dashboards - selectively share specific dashboards without auth
-  # Enable per-dashboard via Share > Public Dashboard in Grafana UI
-  public_dashboards:
+  auth.anonymous:
+    # WARNING: All dashboards readable without login
+    # Security relies on Tailscale ACLs - only tailnet members can reach Grafana
+    # Required for iframe embeds with template variables and non-Prometheus datasources
     enabled: true
+    org_role: Viewer
   analytics:
     check_for_updates: false
     reporting_enabled: false