Constructing a connection string from kubernetes secret

Hi there,

I’m trying to reference a kubernetes secret component in an mssql component to construct the connection string, however it doesn’t seem to be possible and I can’t find anything in the documentation that would point me otherwise.

Here’s my relevant config:

    remote.kubernetes.secret "sql" {
      namespace = "alloy"
      name = "sql-password"
    }
    
    prometheus.exporter.mssql "demo" {
      connection_string = "sqlserver://grafana-alloy:" + remote.kubernetes.secret.sql.data.pwd + "@mssql:1433&trustservercertificate=true"
    }

This does not work and errors with:

Error: /etc/alloy/config.alloy:32:58: remote.kubernetes.secret.sql.data.pwd should be one of [number string] for binop +, got capsule
31 | prometheus.exporter.mssql "demo" {
32 |   connection_string = "sqlserver://grafana-alloy:" + remote.kubernetes.secret.sql.data.pwd + "@mssql:1433&trustservercertificate=true"
   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
33 | }

Any assistance would be appreciated (I’d rather not store the whole connection string in the Kubernetes secret, since the vast majority of it… isn’t actually secret).

So it looks like you can do this if you mark the secret export as nonsensitive, like this:

connection_string = "sqlserver://grafana-alloy:" + nonsensitive(remote.kubernetes.secret.sql.data.pwd) + "@mssql:1433?trustservercertificate=true"

However, the value of the secret then can appear in a log, which I saw due to a second error in my config above, where the &trustservercertificate=true should actually be ?trustservercertificate=true.

I need to validate that it’s not visible in the UI or somewhere else, but if anyone has a way to concatenate secrets that would be great.