Add support for mounting Alloy config from Kubernetes Secrets #4861
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Helm chart would fail to render when rbac.rules or rbac.clusterRules were set to empty arrays, producing invalid YAML. This change adds conditional checks to output valid YAML (empty array syntax) when the rule arrays are empty, allowing users to explicitly disable custom RBAC rules while maintaining valid configuration. Fixes grafana#4778 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
This enhancement addresses issue grafana#443 by allowing users to mount Grafana Alloy configuration from Kubernetes Secrets instead of only from ConfigMaps. This provides better security for configurations containing sensitive credentials. Key changes: - Added `alloy.secret` configuration option in values.yaml - Secret takes precedence over ConfigMap when both are configured - ConfigMap is not created when using Secret - Support for both creating new Secrets and referencing existing ones - Added helper templates for Secret name and key resolution - Updated pod template to conditionally mount Secret or ConfigMap - Added CI test configurations for Secret-based config - Updated documentation in README and README.gotmpl The implementation maintains full backward compatibility with existing ConfigMap-based configurations. Fixes grafana#443 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This enhancement addresses issue #443 by allowing users to mount Grafana Alloy configuration from Kubernetes Secrets instead of only from ConfigMaps. This provides better security for configurations containing sensitive credentials.
Changes
New Features
alloy.secretconfiguration option in values.yaml with the following fields:alloy.secret.create: Create a new Secret for the config filealloy.secret.content: Content to assign to the Secret (supports templating viatpl)alloy.secret.name: Name of existing Secret to usealloy.secret.key: Key in Secret to get config fromImplementation Details
Testing
Documentation
alloy.secretsectionBackward Compatibility
The implementation maintains full backward compatibility with existing ConfigMap-based configurations. Users can continue using ConfigMaps without any changes.
Test Plan
Default behavior (ConfigMap) continues to work:
New Secret creation works:
Referencing existing Secret works:
Usage Example
To use a Secret for your Alloy configuration:
Or to reference an existing Secret:
Fixes #443
🤖 Generated with Claude Code
Co-Authored-By: Claude [email protected]