grafana/grizzly

[Feature Request]: Better support for credentials.

lomori opened this issue · 5 comments

Feature Request

We find the handling of credentials described here a bit lacking. Nobody should handle secrets manually. I certainly agree that Grizzly should not export secrets however there are some ways it could help during deployments. One such way is to use placeholders for credentials, and perhaps for other configurations too, and replace them with contents from environment variables at runtime during pushes. A common workflow within K8s is to mount secrets as environment variables and use things like ExternalSecrets to decouple the client from the actual secret backend. This would work very well for CI/CDs where grr is used for dashboards, datasources, and datafolders deployment. Or at least like jsonnet, have an indirect support to it using "--ext-str" and "std.extVar" (not our preferred way). Yes, this could be accomplished using standard Linux source command to create environment variables from a file (secret mount) and then piping the output of envsubst to grr, nevertheless native Grizzly support would be cleaner, IMHO.

You can provide credentials to Grizzly via environment variables as well as context configs. This should solve your problem. See lower down on the page here.

I'm closing this issue now. Please feel free to re-open if this doesn't work for you.

Sorry, maybe my request was not well written. We are not talking the context for Grizzly itself, as your reference appears to indicate. We want an enhancement to better handle secrets. The other reference to your documentation that I sent touches the core point. I'm not sure if I can re-open this ticket. Could you do it for me?

Are you saying you want the migration guide to be updated to reference environment variables? But isn't the migration process a one-off that we wouldn't necessarily want to automate?

If we can identify a clear ask, I can forward that to the authors of the migration guide.

You can manage your datasources as YAML or JSON, but as you say, because they can contain credentials, this isn't the best idea. However, these credentials DO need to be included in the resources pushed to the API.

Therefore, the best approach is to generate these datasources. Have code that pulls them from a secret store or such. Yes, --ext-str in jsonnet can handle this. So either use Jsonnet, or try the new Grafana Foundation SDK if Jsonnet doesn't work for you.