1 | initial version |
One method to conceal the database credentials when using PostgreSQL with the Grafana helm chart is to use Kubernetes secrets.
Firstly, create a secret containing the database credentials:
kubectl create secret generic grafana-postgres-creds \
--from-literal=POSTGRES_USER=<username> \
--from-literal=POSTGRES_PASSWORD=<password>
Next, update the Grafana deployment to use the secret:
...
containers:
- name: grafana
image: grafana/grafana:latest
env:
- name: "GF_DATABASE_TYPE"
value: "postgres"
- name: "GF_DATABASE_HOST"
value: "<postgres-host>"
- name: "GF_DATABASE_PORT"
value: "5432"
- name: "GF_DATABASE_NAME"
value: "<database-name>"
- name: "GF_DATABASE_USER_FILE"
value: "/run/secrets/grafana-postgres-creds/POSTGRES_USER"
- name: "GF_DATABASE_PASSWORD_FILE"
value: "/run/secrets/grafana-postgres-creds/POSTGRES_PASSWORD"
volumeMounts:
- name: grafana-postgres-creds
readOnly: true
mountPath: /run/secrets/grafana-postgres-creds
volumes:
- name: grafana-postgres-creds
secret:
secretName: grafana-postgres-creds
...
In the above deployment configuration, the GF_DATABASE_USER_FILE
and GF_DATABASE_PASSWORD_FILE
environment variables reference the respective files containing the credentials within the grafana-postgres-creds
secret. A volume mount is also specified to make the secret available to the Grafana container.
Once the updated deployment is deployed, the database credentials will be retrieved securely from the secret.