My goal is to make sure a client secret is not stored in plaintext in Grafana's ConfigMaps. So far, I figured out you can't just reference a value from a Secret in a ConfigMap. So another solution was to mount a secret to a file in the application and reference it in grafana.ini. Like HERE.
Basically, I did it like that belowd.
grafana.ini:
[auth.generic_oauth]
enabled = true
client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret}
Existing secret, or created along with helm:
---
apiVersion: v1
kind: Secret
metadata:
name: auth-generic-oauth-secret
type: Opaque
stringData:
client_secret: <value>
Config for extraSecretMounts
- extraSecretMounts:
- name: auth-generic-oauth-secret-mount
secretName: auth-generic-oauth-secret
defaultMode: 0440
mountPath: /etc/secrets/auth_generic_oauth
readOnly: false
But the problem is that when I redepploy Grafana, it goes into CrashLoopBackOf state, and the logs say:
Failed to start grafana. error: got error while expanding auth.generic_oauth.client_secret with expander 'file': stat /etc/secrets/auth_generic_oauth/client_secret: no such file or directory
Am I doing something wrong? I guess in that case the file should be created automatically, shouldn't it?