Grafana Agent config in Kubernetes using secret?

Hello,

I am using Grafana Cloud with Kubernetes Integration and followed the getting started configuration instructions.

In the Instructions there is a step to deploy a configmap for grafana agent. This configmap includes the basic_auth credentials for remote_write to Loki and Prometheus.

In our case, we commit every Kubernetes manifest into git. And we do not want to commit the yaml with secret credentials.

apiVersion: v1
data:
  agent.yaml: |
    metrics:
      wal_directory: /var/lib/agent/wal
      global:
        scrape_interval: 60s
        external_labels:
          cluster: example.cluster.dev
      configs:
      - name: integrations
        remote_write:
        - url: https://prometheus-prod-01-eu-west-0.grafana.net/api/prom/push 
          basic_auth:
            username: REDACTED
            password: REDACTED

In the documentation of grafana agent I can not find a solution to specify a secret here and not to hardcode the credentials into the YAML.

Is it possible to configure the agents that they get credentials via Kubernetes Secret?

Hello,

The remote_write config section of the agent is actually the same as the prometheus remote_write config.

As such, you can use a password_file instead of providing a username and password.

In that case you’d want to create the password file as a secret, then change your deployment/daemonset to mount that secret as a volume, and point to that mounted file in your agent config.

Hope this helps!