Environment variables in datasources.yaml

Grafana Configuration
1

Hi, I’m trying to use datasources secrets as environment variables in k8s and I have problem with secret which is as certificate. If I paste it as plain text it works but not works with environment variable, others datasources works correctly.
Working config:

 datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: prometheus
        type: prometheus
        url: http://prometheus-operated:9090/
        access: proxy
        isDefault: true
      - name: "Google Cloud Monitoring"
        type: stackdriver
        access: proxy
        jsonData:
          tokenUri: "https://oauth2.googleapis.com/token"
          clientEmail: ${grafana_cloud_monitoring_email}
          authenticationType: "jwt"
          defaultProject: ${grafana_cloud_monitoring_project}
        secureJsonData:
          privateKey: |
            -----BEGIN PRIVATE KEY-----
            key
            -----END PRIVATE KEY-----

Not working config.

 datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: prometheus
        type: prometheus
        url: http://prometheus-operated:9090/
        access: proxy
        isDefault: true
      - name: "Google Cloud Monitoring"
        type: stackdriver
        access: proxy
        jsonData:
          tokenUri: "https://oauth2.googleapis.com/token"
          clientEmail: ${grafana_cloud_monitoring_email}
          authenticationType: "jwt"
          defaultProject: ${grafana_cloud_monitoring_project}
        secureJsonData:
          privateKey: ${grafana_cloud_monitoring_private_key}

How can I add privateKey as env variable when it is as certifcate? With one line secrets it works.

2

how are you setting the env var? Are you using any special character for newlines or escapes?

3

I’m actually running into the same issue, I’ve tried different options with no luck. Assuming that I’ve got my key in a json file, I’ve tried setting the ENV value using the following commands (both cases preserve the newlines):

SA_SECRET=`cat sac-grafana-key.json | jq .private_key`  # keeps the " at the beginning and end
SA_SECRET=`cat sac-grafana-key.json | jq .private_key | tr -d '"'`  # removes the " characters without turning newlines to spaces i.e. the jq raw option

In combination with the following yaml setup (tried every possible combination):

secureJsonData:
      privateKey: $SA_SECRET
---
secureJsonData:
      privateKey: "$SA_SECRET"
---
secureJsonData:
      privateKey: |
           $SA_SECRET

If I put the secret verbatim as a oneliner (with quotes surrounding it), things do work, but I haven’t been able to make it work with environment variables :confused:

I guess the main question is how to pass environment variables with newlines to the yaml configuration properly.

Any help/suggestion is appreciated.

4

Responding to myself as I found the solution. I was hung up on keeping the escaped newlines (\n) in the token, but that just doesn’t work. However non escaped newlines do work, so in this case getting the token from the json file in raw format is sufficient:

SA_SECRET=`jq -r .private_key $KEY_FILE`

In case you want to verify that, remember to use printf as echo can’t handle those newlines.

printf %s "$SA_SECRET"

See this Github repo for the complete example.