extraSecretMounts in Grafana

1.5k views Asked by At

My goal is to make sure a client secret is not stored in plaintext in Grafana's ConfigMaps. So far, I figured out you can't just reference a value from a Secret in a ConfigMap. So another solution was to mount a secret to a file in the application and reference it in grafana.ini. Like HERE.

Basically, I did it like that belowd.

grafana.ini:

  [auth.generic_oauth]
  enabled = true
  client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret}

Existing secret, or created along with helm:

---
apiVersion: v1
kind: Secret
metadata:
  name: auth-generic-oauth-secret
type: Opaque
stringData:
  client_secret: <value>

Config for extraSecretMounts

- extraSecretMounts:
  - name: auth-generic-oauth-secret-mount
     secretName: auth-generic-oauth-secret
     defaultMode: 0440
     mountPath: /etc/secrets/auth_generic_oauth
     readOnly: false

But the problem is that when I redepploy Grafana, it goes into CrashLoopBackOf state, and the logs say:

Failed to start grafana. error: got error while expanding auth.generic_oauth.client_secret with expander 'file': stat /etc/secrets/auth_generic_oauth/client_secret: no such file or directory

Am I doing something wrong? I guess in that case the file should be created automatically, shouldn't it?

0

There are 0 answers