Hi,
I am deploying kube-prometheus-stack helm chart for monitoring kubernetes cluster. For alertmanager notifications I had setup API URL for slack using Incoming WebHooks.
In values.yaml file I have a snippet as shown below:
receivers:
- name: ‘null’
slack_configs:
- send_resolved: true
channel: ‘#monitoring-k8s’
api_url: ‘slack-webhook-url’
Here I do not want to pass the api_url as a direct value by exposing it, instead from a kubernetes secret which was created manually before deploying this helm chart using the below command:
kubectl create secret generic alertmanager-secrets --from-literal=api_url=‘https://hooks.slack.com/services/XXXXXXXX/XXXXXXXXXXXX/XXXXXXXXXXXXXX’
So how can I pass/replace the the value for api_url from the value in kubernetes secret.
Thank You.
Alert manager route definition expects the endpoint URL to be defined as a string in the receiver section of its configuration YAML. You can’t give it a reference to a kube secret.
You also cannot get helm to read a value from a deployed secret to use as a values input.
If you don’t want the URL in the values file, then you’ll have to pass it as a command line argument to helm with --set
Then how can we pass any confidential/sensitive information like API URL’s or credentials in helm charts. I have mentioned slack as an example but I also have email_configs where I need to pass smtp/gmail credentials securely with in the helm chart.
Kindly let me know how can we achieve this.
Thank you.
You need to integrate your CI/CD system with something like Hashicorp Vault or AWS Secrets Manager so that secrets may be picked and injected at deployment time.
After all, a kube secret is not very secret. It’s just base64 encoded text.