Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-06-11 02:29:01 +0000

bukephalos gravatar image

One method to conceal the database credentials when using PostgreSQL with the Grafana helm chart is to use Kubernetes secrets.

Firstly, create a secret containing the database credentials:

kubectl create secret generic grafana-postgres-creds \
     --from-literal=POSTGRES_USER=<username> \
     --from-literal=POSTGRES_PASSWORD=<password>

Next, update the Grafana deployment to use the secret:

...
      containers:
      - name: grafana
        image: grafana/grafana:latest
        env:
        - name: "GF_DATABASE_TYPE"
          value: "postgres"
        - name: "GF_DATABASE_HOST"
          value: "<postgres-host>"
        - name: "GF_DATABASE_PORT"
          value: "5432"
        - name: "GF_DATABASE_NAME"
          value: "<database-name>"
        - name: "GF_DATABASE_USER_FILE"
          value: "/run/secrets/grafana-postgres-creds/POSTGRES_USER"
        - name: "GF_DATABASE_PASSWORD_FILE"
          value: "/run/secrets/grafana-postgres-creds/POSTGRES_PASSWORD"
        volumeMounts:
        - name: grafana-postgres-creds
          readOnly: true
          mountPath: /run/secrets/grafana-postgres-creds
      volumes:
      - name: grafana-postgres-creds
        secret:
          secretName: grafana-postgres-creds
...

In the above deployment configuration, the GF_DATABASE_USER_FILE and GF_DATABASE_PASSWORD_FILE environment variables reference the respective files containing the credentials within the grafana-postgres-creds secret. A volume mount is also specified to make the secret available to the Grafana container.

Once the updated deployment is deployed, the database credentials will be retrieved securely from the secret.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact