Private plugin not picked by helm deployment

Hey Guys,
I developed a private plugin and able to test it successfully in a local docker compose environment. And I haven’t signed my plugin because of the issue that none of our continuous integration tools can reach because of firewall restrictions. Also, I am using helm deployment for my grafana and have uploaded the plugin zip file as a configmap. To use the unsigned plugin, I have set allow_loading_unsigned_plugins with the name of my plugin. My expectation is that grafana should pick up the plugin without issues. But when Grafana starts it’s trying to fetch the plugin from Note : Grafana is running in production mode and the version I am using is 9.5.2. I see a grafana-sc-plugins sidecar container successfully provisioned and inside that I can see my plugin zip file

My helm changes

# Mentioned here the name of the plugin to be installed
 - sample-plugin

# Added the plugin to allow_loading_unsigned_plugins as its not signed
   allow_loading_unsigned_plugins: sample-plugin

# I have a configmap named plugin-configmap and it has a label grafana_plugin: sample-plugin and the same is mentioned in the sidecar - plugins
  enabled: true
  label: grafana_plugin
  labelValue: sample-plugin

  1. Why is Grafana trying to get the plugin from grafana api instead of using the local zip file
  2. Is it a mandate to sign a private plugin if I have to use it in Grafana production mode ?
  3. Is it a default behaviour for grafana to check grafana api if a plugin is unsigned ?
  4. Also, is there a way to self sign the plugin or sign the plugin in offline mode ?


  1. Probably because the plugin is either in the wrong path or not signed. I don’t see in your configuration you pointing your plugin folders to an specific place. Are you 100% sure you are putting the sample-plugin archive file in the correct place?
  2. Yes. Except (see the last part of this answer)
  3. The check is local based on the plugin signature and there are some fallbacks for the api,. but lack of access to the api should not block you from installing a local plugin
  4. You can sign your plugin as a private plugin but you must have access to the API to do this. There’s no way to sign a plugin offline. Could you take your plugin files to a system with internet access, sign it and then move the files back to the offline system? You don’t need any further internet connection once is signed.

As a final solution to your problem you can instruct grafana to allow load an specific unsigned plugin via the configuration file. Configure Grafana | Grafana documentation. Do notice having no signature is different from having an invalid signature