Managing SecretsΒΆ

Some configuration values are considered secrets and cannot be saved in plain text format.

We recommend using SealedSecrets or another secret management system for Kubernetes.

As an alternative, Robusta can pull secret values from Kubernetes secrets.

Pulling Values from Kubernetes SecretsΒΆ

Robusta supports loading sensitive values from Kubernetes Secrets using environment variables. This works for most configuration values, including sinks, globalConfig, and custom_playbooks.

Step-by-Step Example: Inject a Grafana API KeyΒΆ

Let's walk through an example where a Grafana API key is stored in a Kubernetes Secret and used in Robusta's configuration.

1. Create the Kubernetes Secret

First, create a Secret named my-robusta-secrets with the key secret_grafana_key:

kubectl create secret generic my-robusta-secrets \
  --from-literal=secret_grafana_key=YOUR_GRAFANA_API_KEY

2. Reference the Secret as an Environment Variable in Helm

Add the following to your Helm values (generated_values.yaml):

runner:
  additional_env_vars:
    - name: GRAFANA_KEY
      valueFrom:
        secretKeyRef:
          name: my-robusta-secrets
          key: secret_grafana_key

# if you're configuring a secret for HolmesGPT it would be:
holmes:
  additionalEnvVars:
    - name: GRAFANA_KEY
      valueFrom:
        secretKeyRef:
          name: my-robusta-secrets
          key: secret_grafana_key

3. Use the Environment Variable in Robusta Config

You can now reference the environment variable elsewhere in your configuration using the {{ env.VARIABLE_NAME }} syntax:

globalConfig:
  grafana_api_key: "{{ env.GRAFANA_KEY }}"
  grafana_url: http://grafana.namespace.svc

This setup keeps sensitive values out of your Helm files and version control, while still allowing them to be dynamically injected at runtime.