Improve docs on configuring secrets (#1785)

aantn · arikalon1 · web-flow · commit 5ffa1785460f · 2025-04-21T14:39:15.000+03:00
* Update configuration-secrets.rst

* CR fixes

---------

Co-authored-by: Arik Alon &lt;alon.arik@gmail.com&gt;
diff --git a/docs/setup-robusta/configuration-secrets.rst b/docs/setup-robusta/configuration-secrets.rst
@@ -11,32 +11,55 @@ As an alternative, Robusta can pull secret values from Kubernetes secrets.
 Pulling Values from Kubernetes Secrets
 --------------------------------------------------
 
-Robusta can pull values from Kubernetes secrets for:
+Robusta supports loading sensitive values from Kubernetes Secrets using environment variables.
+This works for most configuration values, including sinks, globalConfig, and custom_playbooks.
 
-* Sink Configuration
-* Global Config
-* Action Parameters
+Step-by-Step Example: Inject a Grafana API Key
+==================================================
+Let's walk through an example where a Grafana API key is stored in a Kubernetes Secret and used in Robusta's configuration.
+
+**1. Create the Kubernetes Secret**
+
+First, create a Secret named ``my-robusta-secrets`` with the key ``secret_grafana_key``:
+
+.. code-block:: bash
+
+  kubectl create secret generic my-robusta-secrets \
+    --from-literal=secret_grafana_key=YOUR_GRAFANA_API_KEY
+
+**2. Reference the Secret as an Environment Variable in Helm**
+
+Add the following to your Helm values (generated_values.yaml):
 
-To do so, first define an environment variable based on a Kubernetes secret. Add to Robusta's Helm values:
 
 .. code-block:: yaml
 
-   runner:
-     additional_env_vars:
-     - name: GRAFANA_KEY
-       valueFrom:
-         secretKeyRef:
-           name: my-robusta-secrets
-           key: secret_grafana_key
+  runner:
+    additional_env_vars:
+      - name: GRAFANA_KEY
+        valueFrom:
+          secretKeyRef:
+            name: my-robusta-secrets
+            key: secret_grafana_key
 
+  # if you're configuring a secret for HolmesGPT it would be:
+  holmes:
+    additionalEnvVars:
+      - name: GRAFANA_KEY
+        valueFrom:
+          secretKeyRef:
+            name: my-robusta-secrets
+            key: secret_grafana_key
 
-Then reference that environment variable in other Helm values using the special ``{{ env.VARIABLE }}`` syntax:
+**3. Use the Environment Variable in Robusta Config**
+
+You can now reference the environment variable elsewhere in your configuration using the ``{{ env.VARIABLE_NAME }}`` syntax:
 
 .. code-block:: yaml
 
-   globalConfig:
-     grafana_api_key: "{{ env.GRAFANA_KEY }}"
-     grafana_url: http://grafana.namespace.svc
 
-Finally, make sure the Kubernetes secret actually exists. In this example, create a Secret named ``my-robusta-secrets``
-with a ``secret_grafana_key`` value inside.
+  globalConfig:
+    grafana_api_key: "{{ env.GRAFANA_KEY }}"
+    grafana_url: http://grafana.namespace.svc
+
+This setup keeps sensitive values out of your Helm files and version control, while still allowing them to be dynamically injected at runtime.
