[kube-prometheus-stack] Fix insecure default password in grafana

[robalb]

What this PR does / why we need it

As of now, the kubeprometheus-stack chart defines a default admin password for Grafana: "prom-operator".
By doing so, it's overriding the more secure default default behavior of the upstream Grafana chart, which simply generates a random password when none is set. 1

It's common practice for both bad actors and security scanners to attempt known default passwords on accidentally exposed instances. For example, see this nuclei template, which demonstrates that this default password is well known in security circles.

This PR removes the default password, aligning the default behaviour with upstream Grafana.

Which issue this PR fixes

• fixes [kube-prometheus-stack] Set default grafana password to 'admin'? #4558

Special notes for your reviewer

Checklist

• DCO signed
• Chart Version bumped
• Title of the PR starts with chart name (e.g. [prometheus-couchdb-exporter])

[jkroepke]

Thanks! Could you please bump the major version instead and add a note in the UPGRADE.md?

[robalb]

Thanks! Could you please bump the major version instead and add a note in the UPGRADE.md?

Right, thanks! I documented the changes and included a link to the Grafana documentation on how to retrieve the password

[rouke-broersma]

I think a note should be added in the install instructions warning users of gitops tooling that if they don't set a default password manually their gitops tooling is likely to overwrite the secret on next sync, at which point the secret in the cluster will no longer work and they will have to follow a recovery procedure.

[jkroepke]

I think a note should be added in the install instructions warning users of gitops tooling that if they don't set a default password manually their gitops tooling is likely to overwrite the secret on next sync, at which point the secret in the cluster will no longer work and they will have to follow a recovery procedure.

Latest Versions of ArgoCD should support the helm lookup function.

[rouke-broersma]

@jkroepke I can only find this enhancement proposal which hasn't been approved: argoproj/argo-cd#21745

Can you link me the relevant page that explains helm lookup working in argocd? That would make my day.

[jkroepke]

Okay, FluxCD support that and I thought ArgoCD does it as well. My issue.

I agree with an warning on UPGRAING.

Would be it possible to mimic this as well?

https://github.com/grafana/helm-charts/blob/72a7caf12f61cd5e7d82acbe586fb1e9c0bce2f6/charts/grafana/templates/NOTES.txt#L1-L3