Reputation: 5678
Upgrading kube-prometheus-stack via Helm to chart v56.2.1 fails on Grafana with Sensitive key error
I recently tried upgrading kube-prometheus-stack on my AWS EKS Kubernetes cluster via Helm to chart v56.2.1 using Terraform and it failed while upgrading Grafana with the following error:
Sensitive key ‘auth.generic_oauth.client_secret’ should not be defined explicitly in values. Use variable expansion instead.
I'm not specifying any client_secret via values.yml file for that Helm chart but we are using AzureAD for authentication.
How to fix this?
Upvotes: 3
Views: 2358
Answers (2)
Reputation: 1960
resource "kubernetes_secret" "grafana" {
...
data = {
"GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = var.auth_generic_oauth_client_secret
}
}
resource "helm_release" "kube_prometheus_stack" {
chart = "kube-prometheus-stack"
...
set {
name = "grafana.envFromSecret"
value = kubernetes_secret.grafana.metadata[0].name
}
}
Grafana's Helm chart provides multiple ways to securely mount environment variables: envFromSecret, envRenderSecret, envFromSecrets, envFromConfigMaps, and extraSecretMounts. You can find more information at charts/grafana/values.yaml.
The variable name is in the format pf GF_<SectionName>_<KeyName>. As described at grafana/variable-expansion. So:
[auth.google]
client_secret = ...
becomes GF_AUTH_GOOGLE_CLIENT_SECRET. Any env variable set will by default override the value if also defined in the grafana.ini. If you would like to use the $__file provider, you can use the extraSecretMounts and set the following helm values:
resource "kubernetes_secret" "auth_generic_oauth_secret" {
...
metadata {
name = "auth-generic-oauth-secret"
}
data = {
"client_id" = "......"
"client_secret" = "......."
}
}
resource "helm_release" "kube_prometheus_stack" {
...
set {
name = "grafana.extraSecretMounts[0].name"
value = "auth-generic-oauth-secret-mount"
}
set {
name = "grafana.extraSecretMounts[0].secretName"
value = kubernetes_secret.auth_generic_oauth_secret.metadata[0].name
}
set {
name = "grafana.extraSecretMounts[0].defaultMode"
value = 0440
}
set {
name = "grafana.extraSecretMounts[0].mountPath"
value = "/etc/secrets/auth_generic_oauth"
}
set {
name = "grafana.extraSecretMounts[0].readOnly"
value = true
}
}
Now that the secret is mounted as a file, we can use the $__file provider to set the credentials:
set {
name = "grafana.grafana\\.ini.auth.generic_oauth.client_id"
value = "$__file{/etc/secrets/auth_generic_oauth/client_id}"
}
set {
name = "grafana.grafana\\.ini.auth.generic_oauth.client_secret"
value = "$__file{/etc/secrets/auth_generic_oauth/client_secret}"
}
Upvotes: 0
Reputation: 5678
There are 2 possible solutions to fix this issue:
Set
grafana.assertNoLeakedSecretstofalsein thevalues.ymlfile.If
auth.generic.oauth.client_secretis specified in thevalues.ymlfile, remove it from that file and setGF_AUTH_GENERIC_OAUTH_CLIENT_SECRETas the environment variable for Grafana.
References:
Upvotes: 6
Related Questions
- kube-prometheus-stack only scrapes data from the node it is running on
- Grafana pod in kube-prometheus-stack app unable to detect configmap for datasources
- Prometheus Server on EKS with Helm - FailedScheduling
- Add additionalScrapeConfigs to existing kube-prometheus-stack without data loss
- Add PodMonitor or ServiceMonitor outside of kube-prometheus-stack helm values
- Kube-Prometheus-Stack Helm Chart v14.40 : Node-exporter and scrape targets unhealthy in Docker For Mac Kubernetes Cluster on macOS Catalina 10.15.7
- How to configure kube-prometheus-stack helm installation to scrape a Kubernetes service?
- How to setup a mongodb grafana dashboard using helm bitnami/mongodb and kube-prometheus-stack