smtp.existingSecret mentioned in docs but not used

[josefkorbel]

According to the documentation, there is an option to specify smtp credentials with secret, however it is not used anywhere in the templates.

You can verify this on this search query https://github.com/grafana/helm-charts/search?q=existingSecret&type=code

[kivi]

I have a similar issue with Loki Stack /charts/loki-stack

Could you please also add how you would create a secret? How to set the hostname?

[mindthevirt]

This is still an issue, even in the latest release.

[greg-mcnamara]

I can confirm that smtp.existingSecret does not work. Credentials are not extracted from the secret.

[druskus20]

I believe this is still the case, I am using kube-prometheus-stack

[XDavidT]

Workaround: You can fill the SMTP on grafana.ini, for example:

  grafana:
    grafana.ini:
      smtp:
        enabled: true
        host: <host>:<port>
        skip_verify: true
        from_address: [email protected]
        password:
        user:

full config doc here: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#smtp

[druskus20]

Workaround: You can fill the SMTP on grafana.ini, for example:

  grafana:
    grafana.ini:
      smtp:
        enabled: true
        host: <host>:<port>
        skip_verify: true
        from_address: [email protected]
        password:
        user:

full config doc here: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#smtp

Yes, but this is still not a good enough solution. It means that you'd be hardcoding your SMTP credentials into the chart, and thus, into your version control system.

[mscdit]

Hi @druskus20 ... I also have trouble with this ... but I even can't get it working with the hardcoded solution. I am using Grafana as sub chart in kube-prometheus-stack. If I specify password and user hardcoded I get the following error by deploying this with argoCD:

Error: execution error at (kube-prometheus-stack/charts/grafana/templates/deployment.yaml:36:28): Sensitive key 'smtp.password' should not be defined explicitly in values. Use variable expansion instead

So I think I am currently also stuck with the hardcoded solution as using existingSecret is not working neither the hardcoded version. Any hints to that?

THX, mscdit

[druskus20]

I went back to this recently.

grafana:
  smtp:
    # `existingSecret` is a reference to an ALREADY EXISTING secret containing the smtp configuration
    # for Grafana.
    existingSecret: "grafana-smtp-auth"
    userKey: "user"
    passwordKey: "password"

  grafana.ini:
    log:
      level: debug
      mode: "file console"
    server:
      root_url: https://myurl.com
    smtp:
      enabled: true
      skip_verify: true # both true and false tried
      from_address: myaddr
      host: myhost
      # instead of putting it here, we can feed it a secret (above)
      #user: REDACTED
      #password: REDACTED

Do not mistake grafana.smtp with grafana.grafana.ini.smtp

We can then create this secret manually, or use something like SealedSecrets to encrypt it and store it safely in our version control system

extraManifests: 
  - apiVersion: bitnami.com/v1alpha1
    kind: SealedSecret
    metadata:
      creationTimestamp: null
      name: grafana-smtp-auth
      namespace: monitoring
    spec:
      encryptedData:
        password: REDACTED
        user: REDACTED 
      template:
          name: grafana-smtp-auth
          namespace: monitoring
        type: Opaque

This should result in:

# /etc/grafana/grafana.ini
# ...
[smtp]
enabled = true
from_address = REDACTED
host = REDACTED
skip_verify = true

And the environment variables GF_SMTP_USER and GF_SMTP_PASSWORD populated from our secret.

# env | grep GF
...
GF_SMTP_PASSWORD=REDACTED
GF_SMTP_USER=REDACTED

However

Grafana still fails to send the message:

However, hardcoding password and user in grafana.ini, works. Looks to me like mixing both environment variables and grafana.ini (for smtp) is incompatible (though it should not be). This is not a good workaround.

[druskus20]

Seems to me like this issue should be replaced by SMTP Authentication: mixing both environment variables and grafana.ini is incompatible. ?

The title of the issue is misleading, as existingSecret is in fact working as intended, although maybe it is a bit confusing and should be clearly specified that the secret must be created manually, outside of the grafana chart

[giovannicandido]

Is working but you have to config like that:

grafana:
  smtp:
    existingSecret: "grafana-smtp-secret"
    passwordKey: "password"
    userKey: "user"
  grafana.ini:
    smtp:
      enabled: true
      host: host.com:587
      from_address: [email protected]

By the way, there is a orientation to put tripple quotes if you password has special characters, that is not necessary here.

[druskus20]

grafana:
  smtp:
    existingSecret: "grafana-smtp-auth"
    userKey: "user"
    passwordKey: "password"
  grafana.ini:
    smtp:
      enabled: true
      skip_verify: true
      from_address: example@example
      host: host:587

This is not working for me. As I said, the values get populated as config files / env variables inside the container but the message sending still fails.

[joelfernandes23]

This worked for me

grafana:
  grafana.ini:
    server:
      root_url: https://grafana.company.com
    smtp:
      host: email-smtp.aws_region.amazonaws.com:587
      from_address: [email protected]
      enabled: "true"

  smtp:
    # `existingSecret` is a reference to an ALREADY EXISTING secret containing the smtp configuration
    # for Grafana.
    existingSecret: "grafana-smtp-secret"
    userKey: "user"
    passwordKey: "password"

  assertNoLeakedSecrets: true