Grafana: Add existing secret option for auth

grafana / helm-charts

Apache License 2.0

1.65k stars 2.27k forks source link

Grafana: Add existing secret option for auth #536

Open prateekkhera opened 3 years ago

prateekkhera commented 3 years ago

Currently for oauth - grafana helm chart requires you to set client secret in values.yaml. The client secret is senstive info and should not be put in values.yaml and rather should accept from an option of existing secret. In current, this violates principal of GitOps as one cant put secret in Git. Also, after installation the secrets get stored in a configmap, which is also not correct.

Bfoster-melrok commented 3 years ago

also waiting for this. Maybe it can be handled similarly to the SMTP config? provide most of the config in the grafana.ini section, and the sensitive bits can be loaded into environment variables from an existing secret?

sathieu commented 2 years ago

You can do something like this (example with a subchart):

grafana:
    envValueFrom:
      GF_AUTH_GENERIC_OAUTH_CLIENT_ID:
        secretKeyRef:
          name: keycloak-client-secret-grafana
          key: CLIENT_ID
      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
        secretKeyRef:
          name: keycloak-client-secret-grafana
          key: CLIENT_SECRET

mihaigalos commented 8 months ago

You can do something like this (example with a subchart):

grafana:
    envValueFrom:
      GF_AUTH_GENERIC_OAUTH_CLIENT_ID:
        secretKeyRef:
          name: keycloak-client-secret-grafana
          key: CLIENT_ID
      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
        secretKeyRef:
          name: keycloak-client-secret-grafana
          key: CLIENT_SECRET

Hi @sathieu, this goes in the direction of what I'm looking for.

Can you show how you consume the set GF_AUTH_GENERIC_OAUTH_CLIENT_ID and GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET?

P.S.: Security best practices in our company say that we shouldn't use environment variables for injecting secrets into pods, but instead prefer mounting secrets.

mihaigalos commented 8 months ago

This talks about consuming a mounted file with the secret.

Kubeseal is used to produce a kind: SealedSecret resource which is encrypted and storable in Git. The corresponding k8s operator can unseal it and produce a kind: Secret.

The secret is bind-mounted into a file consumed by the Grafana pod.

Example:

grafana.ini:
  auth.generic_oauth:
     enabled: true
     icon: signin
     name: SSO
     allow_sign_up: true
     auto_login: true
     scopes: "openid email profile"
     auth_url: https://login.microsoftonline.com/111-11240-11111/oauth2/v2.0/authorize
     token_url: https://login.microsoftonline.com/111-11240-11111/oauth2/v2.0/token
     client_id: xxxxxxx-xxxxx-xxx-1111
     client_secret: $__file{/etc/secrets/grafana-secret/client_secret}
extraSecretMounts: 
- name: grafana-secret
  secretName: grafana-secret
  defaultMode: 0440
  mountPath: /etc/secrets/grafana-secret
  readOnly: true

IMHO this issue is solved if the above works as designed (untested).