Declare secrets while integrating okta w/ Percona

1

Hello!

So I’ve installed Percona using helm chart pmm-1.2.13 and got it integrated with Okta. All is working perfectly when I declare all Grafana/Okta env vars like done below:

pmmEnv:
  GF_AUTH_OKTA_CLIENT_ID: "123456789"
  GF_AUTH_OKTA_CLIENT_SECRET: "A_BIG_STRING_FROM_OKTA"

  GF_SERVER_ROOT_URL: "https://percona.something.net/graph"
  GF_LOG_CONSOLE: "debug"
  GF_AUTH_OKTA_ENABLED: "true"
  GF_AUTH_OKTA_API_URL: "https://something.okta.com/oauth2/v1/userinfo"
  GF_AUTH_OKTA_AUTH_URL: "https://something.okta.com/oauth2/v1/authorize"
  GF_AUTH_OKTA_TOKEN_URL: "https://something.okta.com/oauth2/v1/token"
  GF_USERS_AUTO_ASSIGN_ORG_ROLE: "Editor"
  GF_AUTH_OKTA_SCOPES: "openid profile email offline_access"

However, I dont want to push this code to github because I dont like the idea of having a client_ID and a client_secret in plain text there.

I have successfully created a k8s secret, but I dont understand on how we can reference the secret values in the helm values.

Here is the secret:

apiVersion: v1
kind: Secret
stringData:
  GF_AUTH_OKTA_CLIENT_ID: <okta_client_id-test>
  GF_AUTH_OKTA_CLIENT_SECRET: <okta_secret-test>
metadata:
  annotations:
    avp.kubernetes.io/path: eks-secret/test-secret
  name: percona-okta-integration-secrets
type: Opaque

Here are my values (the pod is unable to read the values GF_AUTH_OKTA_CLIENT_ID and GF_AUTH_OKTA_CLIENT_SECRET from the secret):

# Add custom values for the percona/pg-operator helm chart. 

secret:
  ## @param secret.name Defines the name of the k8s secret that holds passwords and other secrets
  ##
  name: percona-okta-integration-secrets
  ## @param secret.create If true then secret will be generated by Helm chart. Otherwise it is expected to be created by user.
  ##
  create: false
  GF_AUTH_OKTA_CLIENT_ID: GF_AUTH_OKTA_CLIENT_ID
  GF_AUTH_OKTA_CLIENT_SECRET: GF_AUTH_OKTA_CLIENT_SECRET


pmmEnv:
  GF_AUTH_OKTA_CLIENT_ID: "123456789"
  GF_AUTH_OKTA_CLIENT_SECRET: "A_BIG_STRING_FROM_OKTA"

  GF_SERVER_ROOT_URL: "https://percona.something.net/graph"
  GF_LOG_CONSOLE: "debug"
  GF_AUTH_OKTA_ENABLED: "true"
  GF_AUTH_OKTA_API_URL: "https://something.okta.com/oauth2/v1/userinfo"
  GF_AUTH_OKTA_AUTH_URL: "https://something.okta.com/oauth2/v1/authorize"
  GF_AUTH_OKTA_TOKEN_URL: "https://something.okta.com/oauth2/v1/token"
  GF_USERS_AUTO_ASSIGN_ORG_ROLE: "Editor"
  GF_AUTH_OKTA_SCOPES: "openid profile email offline_access"

  GF_AUTH_OKTA_CLIENT_ID: 
  GF_AUTH_OKTA_CLIENT_SECRET:

would really appreciate some help here! Thanks

2

So I did found a way to use k8s secrets in these environment variables. It is kind of a hack, but it works.

You need to remove the section pmmEnv and move that to a new configMap. So your new helm values.yaml will look something like this:

# Add custom values for the percona/pg-operator helm chart. 

secret:
 ## @param secret.name Defines the name of the k8s secret that holds passwords and other secrets
 ##
 name: percona-okta-integration-secrets
 ## @param secret.create If true then secret will be generated by Helm chart. Otherwise it is expected to be created by user.
 ##
 create: false

And your new configMap will look like this:

apiVersion: v1
data:
  GF_SERVER_ROOT_URL: "https://percona.something.net/graph"
  GF_LOG_CONSOLE: "debug"
  GF_AUTH_OKTA_ENABLED: "true"
  GF_AUTH_OKTA_API_URL: "https://something.okta.com/oauth2/v1/userinfo"
  GF_AUTH_OKTA_AUTH_URL: "https://something.okta.com/oauth2/v1/authorize"
  GF_AUTH_OKTA_TOKEN_URL: "https://something.okta.com/oauth2/v1/token"
  GF_USERS_AUTO_ASSIGN_ORG_ROLE: "Editor"
  GF_AUTH_OKTA_SCOPES: "openid profile email offline_access"
  GF_AUTH_OKTA_CLIENT_ID: <path:eks-secret/test-secret#okta_client_id-test> 
  GF_AUTH_OKTA_CLIENT_SECRET: <path:eks-secret/test-secret#okta_secret-test>
kind: ConfigMap
metadata:
  name: percona-staging-pmm
  namespace: percona-staging

This got it working without issues. Dont forget that I am using AWS Secrets Manager to store the secrets, but a K8s secret probably works.

1 Like