Hide user and password values in basic authentication configuration - Promtail

marcossoares · August 8, 2023, 8:55pm

Promtail Helm chart version: 6.11.2.

I define the env vars:

extraEnv:
  - name: LOKI_USERNAME
    valueFrom:
      secretKeyRef:
        name: auth
        key: USER
  - name: LOKI_PASSWORD
    valueFrom:
      secretKeyRef:
        name: auth
        key: PASSWORD

And then this setup doesn’t work (401 Unauthorized):

    config:
      clients:
        - url: https://loki-url/loki/api/v1/push
          basic_auth:
            username: $LOKI_USERNAME
            password: $LOKI_PASSWORD

In the configmap file I can see that the values are $LOKI_USERNAME and $LOKI_PASSWORD literali.

I use argocd to deploy so there is no way I can expose the credentials. Can anyone help me?

yosiasz · August 9, 2023, 12:29am

Maybe leverage a .env file or a environment variable? Or a secret in gitlab?

b0b · August 9, 2023, 12:44pm

Have you set this in your values.yaml

extraArgs:
  - -config.expand-env

And then you should use ${} for the environment variables

clients:
  - basic_auth:
      password: ${LOKI_PASSWORD}
      username: ${LOKI_USERNAME}