From a56fa3c7b5e9745ff914dd0f3df4b2204cd34bcc Mon Sep 17 00:00:00 2001
From: Matheus Macabu <macabu@users.noreply.github.com>
Date: Fri, 9 Jan 2026 11:01:46 +0100
Subject: [PATCH] Revert "Secrets: Remove unused register_api_server setting"
 (#116004)

Revert "Secrets: Remove unused register_api_server setting (#113849)"

This reverts commit 4ee2112ea437012c4baaffc9db72663281317506.
---
 conf/defaults.ini                           |  2 ++
 conf/sample.ini                             |  2 ++
 pkg/setting/setting_secrets_manager.go      |  3 +++
 pkg/setting/setting_secrets_manager_test.go | 22 +++++++++++++++++++++
 scripts/grafana-server/custom.ini           |  1 +
 5 files changed, 30 insertions(+)

diff --git a/conf/defaults.ini b/conf/defaults.ini
index 363ca39d0c4..c71523a33a8 100644
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -2234,6 +2234,8 @@ encryption_provider = secret_key.v1
 
 # These flags are required in on-prem installations for GitSync to work
 #
+# Whether to register the MT CRUD API
+register_api_server = true
 # Whether to create the MT secrets management database
 run_secrets_db_migrations = true
 # Whether to run the data key id migration. Requires that RunSecretsDBMigrations is also true.
diff --git a/conf/sample.ini b/conf/sample.ini
index 530b14c87ac..5a579d0e74e 100644
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -2123,6 +2123,8 @@ default_datasource_uid =
 
 # These flags are required in on-prem installations for GitSync to work
 #
+# Whether to register the MT CRUD API
+;register_api_server = true
 # Whether to create the MT secrets management database
 ;run_secrets_db_migrations = true
 # Whether to run the data key id migration. Requires that RunSecretsDBMigrations is also true.
diff --git a/pkg/setting/setting_secrets_manager.go b/pkg/setting/setting_secrets_manager.go
index 5730d27a74f..ed7386813ef 100644
--- a/pkg/setting/setting_secrets_manager.go
+++ b/pkg/setting/setting_secrets_manager.go
@@ -36,6 +36,8 @@ type SecretsManagerSettings struct {
 	// How long to wait for the process to clean up a secure value to complete.
 	GCWorkerPerSecureValueCleanupTimeout time.Duration
 
+	// Whether to register the MT CRUD API
+	RegisterAPIServer bool
 	// Whether to create the MT secrets management database
 	RunSecretsDBMigrations bool
 	// Whether to run the data key id migration. Requires that RunSecretsDBMigrations is also true.
@@ -64,6 +66,7 @@ func (cfg *Cfg) readSecretsManagerSettings() {
 	cfg.SecretsManagement.GCWorkerPollInterval = secretsMgmt.Key("gc_worker_poll_interval").MustDuration(1 * time.Minute)
 	cfg.SecretsManagement.GCWorkerPerSecureValueCleanupTimeout = secretsMgmt.Key("gc_worker_per_request_timeout").MustDuration(5 * time.Second)
 
+	cfg.SecretsManagement.RegisterAPIServer = secretsMgmt.Key("register_api_server").MustBool(true)
 	cfg.SecretsManagement.RunSecretsDBMigrations = secretsMgmt.Key("run_secrets_db_migrations").MustBool(true)
 	cfg.SecretsManagement.RunDataKeyMigration = secretsMgmt.Key("run_data_key_migration").MustBool(true)
 
diff --git a/pkg/setting/setting_secrets_manager_test.go b/pkg/setting/setting_secrets_manager_test.go
index 34f88a481b5..c326c250821 100644
--- a/pkg/setting/setting_secrets_manager_test.go
+++ b/pkg/setting/setting_secrets_manager_test.go
@@ -171,6 +171,28 @@ domain = example.com
 		assert.Empty(t, cfg.SecretsManagement.ConfiguredKMSProviders)
 	})
 
+	t.Run("should handle configuration with register_api_server disabled", func(t *testing.T) {
+		iniContent := `
+[secrets_manager]
+register_api_server = false
+`
+		cfg, err := NewCfgFromBytes([]byte(iniContent))
+		require.NoError(t, err)
+
+		assert.False(t, cfg.SecretsManagement.RegisterAPIServer)
+	})
+
+	t.Run("should handle configuration without register_api_server set", func(t *testing.T) {
+		iniContent := `
+[secrets_manager]
+encryption_provider = aws_kms
+`
+		cfg, err := NewCfgFromBytes([]byte(iniContent))
+		require.NoError(t, err)
+
+		assert.True(t, cfg.SecretsManagement.RegisterAPIServer)
+	})
+
 	t.Run("should handle configuration with run_secrets_db_migrations disabled", func(t *testing.T) {
 		iniContent := `
 [secrets_manager]
diff --git a/scripts/grafana-server/custom.ini b/scripts/grafana-server/custom.ini
index 6907ec98a27..74d449d363b 100644
--- a/scripts/grafana-server/custom.ini
+++ b/scripts/grafana-server/custom.ini
@@ -41,5 +41,6 @@ host = localhost:7777
 developer_mode = true ; Enable developer mode to use in-memory implementations of 3rdparty services needed.
 
 [secrets_manager]
+register_api_server = true
 run_secrets_db_migrations = true
 run_data_key_migration = true