Skip to content

PMM-14839: Add External Secrets Operator support for OAuth credentials#793

Open
kapendra007 wants to merge 3 commits intopercona:mainfrom
kapendra007:PMM-14839-external-secrets-oauth
Open

PMM-14839: Add External Secrets Operator support for OAuth credentials#793
kapendra007 wants to merge 3 commits intopercona:mainfrom
kapendra007:PMM-14839-external-secrets-oauth

Conversation

@kapendra007
Copy link

@kapendra007 kapendra007 commented Feb 17, 2026

Summary

This PR adds support for External Secrets Operator (ESO) integration to fetch OAuth credentials from external secret management systems for Grafana authentication in the PMM Helm chart.

Jira Issue

https://perconadev.atlassian.net/browse/PMM-14839

Motivation

  • Organizations using secret management systems (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) need a secure way to inject OAuth credentials without storing them in values files
  • Current PMM chart only supports standard Kubernetes Secrets
  • External Secrets Operator is widely adopted in enterprise Kubernetes environments for secret management

Changes Made

1. Generic External Secrets Configuration (values.yaml)

  • Added externalSecrets section with OAuth support
  • Provider-agnostic design (works with any OAuth provider: Okta, Google, Azure AD, GitHub, GitLab, etc.)
  • Backend-agnostic design (works with any secret backend: Vault, AWS, Azure, GCP, etc.)
  • Configurable refresh interval, secret store reference, and data mappings

2. ExternalSecret Template (templates/external-secret-oauth.yaml)

  • Creates ExternalSecret custom resource when enabled
  • Maps remote secrets to Kubernetes secret keys
  • Supports custom annotations and labels
  • Includes validation for required fields

3. StatefulSet Integration (templates/statefulset.yaml)

  • Injects OAuth credentials from ExternalSecret as environment variables
  • Conditionally enabled only when externalSecrets.oauth.enabled is true
  • Uses secret references for GF_AUTH_GENERIC_OAUTH_CLIENT_ID and GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET

4. Documentation (README.md)

  • Added "External Secrets Integration" section to parameters table
  • Included comprehensive usage examples for:
    • HashiCorp Vault with Okta
    • AWS Secrets Manager
    • Azure Key Vault
  • Documented all new configuration parameters

5. Chart Version Bump (Chart.yaml)

  • Bumped version from 1.5.1 to 1.5.2

Backward Compatibility

Fully backward compatible - existing deployments are not affected:

  • externalSecrets.enabled defaults to false
  • Standard Kubernetes secret creation (secret.create: true) continues to work as before
  • No breaking changes to existing configuration

Testing

  • helm lint passes successfully
  • helm template renders correctly with externalSecrets.enabled=true
  • helm template renders correctly with externalSecrets.enabled=false (default)
  • ✅ ExternalSecret resource created only when explicitly enabled
  • ✅ OAuth environment variables injected correctly in StatefulSet

Usage Example

externalSecrets:
  enabled: true
  oauth:
    enabled: true
    secretStoreRef:
      name: vault-backend
      kind: SecretStore
    data:
      - secretKey: "GF_AUTH_GENERIC_OAUTH_CLIENT_ID"
        remoteRef:
          key: "secret/data/prod/pmm/oauth"
          property: "client_id"
      - secretKey: "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"
        remoteRef:
          key: "secret/data/prod/pmm/oauth"
          property: "client_secret"

pmmEnv:
  GF_AUTH_GENERIC_OAUTH_ENABLED: 'true'
  GF_AUTH_GENERIC_OAUTH_AUTH_URL: 'https://oauth-provider.com/authorize'
  GF_AUTH_GENERIC_OAUTH_TOKEN_URL: 'https://oauth-provider.com/token'
  GF_AUTH_GENERIC_OAUTH_API_URL: 'https://oauth-provider.com/userinfo'
Benefits
 Secure credential management - No sensitive data in values files or source control
 Automatic rotation - Secrets sync automatically based on refresh interval
 Universal compatibility - Works with any OAuth provider and secret backend Zero breaking changes - Existing deployments continue working without modification
 Well documented - Comprehensive examples for multiple providers
Checklist
 Code follows Percona Helm chart conventions
 Chart version bumped appropriately
 README updated with new parameters
 Usage examples provided
 Backward compatibility maintained
 Helm lint passes
 Templates render correctly
 Jira issue referenced in commit message
Related Links
External Secrets Operator: https://external-secrets.io/
PMM Documentation: https://docs.percona.com/percona-monitoring-and-management/

@kapendra-sentieo
PMM-14839: Add External Secrets Operator support for OAuth credentials
5b6cb8a 
- Add generic externalSecrets configuration to values.yaml
- Create external-secret-oauth.yaml template for ESO integration
- Update StatefulSet to inject OAuth credentials from ExternalSecret
- Support any OAuth provider (Okta, Google, Azure AD, GitHub, GitLab, etc.)
- Support any secret backend (Vault, AWS, Azure, GCP, etc.)
- Maintain backward compatibility with existing secret management
- Update README with parameters documentation and usage examples
- Bump chart version from 1.5.1 to 1.5.2

This change enables secure credential management using External Secrets
Operator without storing sensitive data in values files. The implementation
is provider-agnostic and backend-agnostic, allowing users to integrate with
their existing secret management infrastructure.

Jira: https://perconadev.atlassian.net/browse/PMM-14839
@kapendra007 kapendra007 requested a review from a team as a code owner February 17, 2026 11:54
@kapendra007 kapendra007 requested review from JiriCtvrtka and maxkondr and removed request for a team February 17, 2026 11:54
@it-percona-cla
Copy link

it-percona-cla commented Feb 17, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxkondr maxkondr Awaiting requested review from maxkondr maxkondr is a code owner automatically assigned from percona/pmm-review-be

@JiriCtvrtka JiriCtvrtka Awaiting requested review from JiriCtvrtka JiriCtvrtka is a code owner automatically assigned from percona/pmm-review-be

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kapendra007 @it-percona-cla @kapendra-sentieo @JiriCtvrtka