Request

I would like an easier way to manage the config and secrets containing the authentication. Currently, we are forced into (the only sensible pattern) of setting env vars from secrets with agent.extraEnv and hope that the keys defined in the secret matches up to the substitution variable defined in the config.

Ideally we would use remote config but the functionality is still a little bit limited at the time of writing. So we need something that is similar enough to a remote config but safer. Hence, I would prefer to have the option of mounting a secret (we can RBAC safely) which contains the config with authentication details.

Use case

Considering that the use of authentication for remote write is common, it is not out of the ordinary that we may want to store the config as a secret with the authentication baked in. I am well aware of the usage of env vars which can be substituted in easily (via say ${SOME_PASSWORD}), but the reality is that if we are pulling in secrets with custom mounting + extra env setting then it is actually simpler to combine the config and the secret, mount once and skip the extra env stuff!

Obviously we can indeed just mount an arbitrary k8s secrets, but the way the helm chart is structured means that we cannot easily point the binary to run against the mounted volume. We can "cheat" by setting .Values.agent.mode as something that is not "flow" or "static" which will free us from the mandated setting of {{ include "grafana-agent.config-map.key" . }}. Then all we need is to pass in .Values.agent.extraArgs pointing to the custom mounted volume. Evidently this is not ideal as we taking multiple steps to bypass the deliberate construction of the helm chart. A more user friendly approach should let us

1. Mount the config as secret directly
2. Allow an alternative location for the config file in static mode, i.e. the full file path; the flow mode has the ability to declare the location of the credentials so not required.