Provide a way to supply sensitive configuration items

General

Escalation

General

Escalation

Description

At the moment the only way to configure for example Grafana is to add env variables to pmmEnv. Normally we supply sensitive configuration items using kubernetes secrests bypassing helm. This could be made possible by adding an optional value pmmEnvExistingSecret which would expand into envFrom with this secret if not empty.

How to test

None

How to document

None

Activity

Show:

Nurlan Moldomurov 17 hours ago

Done in

Artem Baguinski May 14, 2024 at 4:15 AM

We have found a workaround for now, that keeps sensitive data out of helm input (which we keep in version control, that’s why we have to avoid sensitive data there).

We set pmmEnv to false, this makes sure that helm doesn’t overwrite the config map pmm, but the StatefulSet still uses it if we create one outside helm. So basically we treat this config map now as “exiting secret” and restrict access to it by kubernetes RBAC.

We are treating this as a temporary solution and keeping an eye on this ticket

Aaditya Dubey May 13, 2024 at 3:27 PM

Thank you for the report and feedback.

Artem Baguinski May 13, 2024 at 9:47 AM

I have first filed it on github as

Resize issue view side panel

Details

Assignee

Unassigned

Reporter

Artem Baguinski

Priority

Medium

Components

Needs QA

Yes

Needs Doc

Yes

Planned Version/s

3.X

Parent

PMM-11869 [HA] Highly Available PMM deployment

Smart Checklist

Created May 13, 2024 at 9:45 AM

Updated 17 hours ago