Managing SecretsΒΆ
Some configuration values are considered secrets and cannot be saved in plain text format.
We recommend using SealedSecrets or another secret management system for Kubernetes.
As an alternative, Robusta can pull secret values from Kubernetes secrets.
Pulling Values from Kubernetes SecretsΒΆ
Robusta supports loading sensitive values from Kubernetes Secrets using environment variables. This works for most configuration values, including sinks, globalConfig, and custom_playbooks.
Step-by-Step Example: Inject a Grafana API KeyΒΆ
Let's walk through an example where a Grafana API key is stored in a Kubernetes Secret and used in Robusta's configuration.
1. Create the Kubernetes Secret
First, create a Secret named my-robusta-secrets with the key secret_grafana_key:
kubectl create secret generic my-robusta-secrets \
--from-literal=secret_grafana_key=YOUR_GRAFANA_API_KEY
2. Reference the Secret as an Environment Variable in Helm
Add the following to your Helm values (generated_values.yaml):
runner:
additional_env_vars:
- name: GRAFANA_KEY
valueFrom:
secretKeyRef:
name: my-robusta-secrets
key: secret_grafana_key
# if you're configuring a secret for HolmesGPT it would be:
holmes:
additionalEnvVars:
- name: GRAFANA_KEY
valueFrom:
secretKeyRef:
name: my-robusta-secrets
key: secret_grafana_key
3. Use the Environment Variable in Robusta Config
You can now reference the environment variable elsewhere in your configuration using the {{ env.VARIABLE_NAME }} syntax:
globalConfig:
grafana_api_key: "{{ env.GRAFANA_KEY }}"
grafana_url: http://grafana.namespace.svc
This setup keeps sensitive values out of your Helm files and version control, while still allowing them to be dynamically injected at runtime.