-
Notifications
You must be signed in to change notification settings - Fork 16.8k
[stable/grafana] Allow storing grafana.ini as a secret #22473
Comments
I concur. My deployment of grafana requires the use of a couple of secrets and passwords for oauth and datasources. Since everything is routed through the grafana.ini, I am looking for a good way to obfuscate those values. As I'm researching, I'm seeing that you can specify overrides with environment overrides Yes, it appears that you can generate a Secret and replace the values in the grafana.ini and datasources. I added my key:value pairs to the envRenderSecrets section. This placed environmental values in the pod. I was then able to modify by
The grafana.ini didn't do what I expected. I put a placeholder value in for the client_secret, but it was not overridden by the environmental property. When I used variable syntax, it worked.
This snippet of the datasources also allowed replacement variables.
|
We are facing the same issue here. We need to configure a |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
This stale bot is absolutely useless... As mentioned in my other issue #22175 it's important that I can use kubernetes secrets to store these secrets and not require to have them in my values for helm to render.
Something a long these lines would suffice and be a much better solution. |
@davidkarlsen @mrueg @GMartinez-Sisti Sorry for tagging you all out of an act of desperation, as it appears creating an issue may not be tracked/monitored in this monolithic repo with ease. Is this something on the current roadmap? |
I'm not a maintainer but I think I can help. Looks like there is already a way to perform this in a secure fashion without the need to change this chart or use environment variables for secrets.
You just need to check where the |
@GMartinez-Sisti thanks for the swift response! That is indeed one way, I'm trying to get my head around how that looks, would you be able to provide an example if it's not too much effort? Ideally, the |
Using an example for oauth, you could do something like this: grafana.ini: grafana.ini:
[auth.generic_oauth]
enabled = true
client_id = $__file{/etc/secrets/auth_generic_oauth/client_id}
client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret} Existing secret, or created along with helm: ---
apiVersion: v1
kind: Secret
metadata:
name: auth-generic-oauth-secret
type: Opaque
stringData:
client_id: <value>
client_secret: <value> Config for extraSecretMounts - extraSecretMounts:
- name: auth-generic-oauth-secret-mount
secretName: auth-generic-oauth-secret
defaultMode: 0440
mountPath: /etc/secrets/auth_generic_oauth
readOnly: true This should work (famous last words™), note that I wasn't able to deploy to test, but according to the chart these are the required configurations. Please let me know if it worked, and I might send a PR to add this to the README. EDIT: Changed |
Hi @GMartinez-Sisti , Thanks for your post - this just worked for me using grafana 7.1+ - you'll need to change _ to - in your secret definition else kube complains (mine did anyway). Kind regards, Pete |
@GMartinez-Sisti Unfortunately, mine doesn't seem to work - perhaps I'm missing something, but here is my config: I get to the redirect URL however it looks like something to do with my secret not being mounted it would appear because notice this in my URL
|
You need to update EDIT: Nevermind what I said. You are specifying the mount path correctly. Check that the secret exists and has the keys |
Correct me if I'm wrong however the I think my issue is because I'm not running Grafana 7.1.+ as I just noticed the prometheus-operator for some reason is running 7.0.3 for some reason even though I'm using the latest version which should be 7.1.+. EDIT: I have checked the secrets are mounted correctly, I did find in the docs it mentions this feature |
The I see you are creating grafana.ini from helm, maybe helm is quoting those values, making it literals, and Grafana doesn't know it has to interpolate those. Try using |
Interestingly, it worked in the sense it took me to the correct oauth github project but then it redirected me to grafana and said "invalid username and password". Here are the logs
|
Okay fixed it. I don't exactly understand why but I needed |
📢 This chart is deprecated: #23662 |
Is your feature request related to a problem? Please describe.
Grafana.ini is currently stored as a configmap value. I have to configure auth.generic_oauth with client_id and client_secret and also I would like to configure external database connection with password authentication. Storing it in configmap is not the best idea...
Describe the solution you'd like
Be able to use existing secret as a grafana.ini source.
Describe alternatives you've considered
Alternatively you can provide separate options to configure database connection and auth.generic_oauth.
Additional context
#22175 can be related
The text was updated successfully, but these errors were encountered: