Document shared Prometheus auth config between runner and Holmes

claude · claude · commit 9ccd26f3086f · 2026-02-18T10:25:38.000Z
When using external Prometheus with authentication and HolmesGPT enabled, users must configure the same secret twice (for the runner and Holmes). This adds documentation showing how to use a single Kubernetes Secret referenced by both components via environment variables. - Add "Sharing Prometheus Auth Between Runner and Holmes" section to configuration-secrets.rst - Add "Authentication with HolmesGPT" section to metric-providers-external.rst - Add comment in values.yaml noting the Holmes auth requirement https://claude.ai/code/session_0182WJ9kNfUzm2h12TsWH9d5
diff --git a/docs/configuration/metric-providers-external.rst b/docs/configuration/metric-providers-external.rst
@@ -76,6 +76,30 @@ To use this token add the following env var to the ``runner``:
         prometheus_auth: "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
         alertmanager_auth: "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
 
+.. _holmes-prometheus-auth:
+
+Authentication with HolmesGPT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have HolmesGPT enabled (``enableHolmesGPT: true``), Holmes runs as a separate deployment and needs its own Prometheus authentication configuration. You must configure auth for both the runner (via ``globalConfig``) and Holmes (via ``holmes.toolsets``):
+
+.. code-block:: yaml
+
+    globalConfig:
+        prometheus_url: "https://prometheus.example.com:9090"
+        prometheus_auth: "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
+
+    holmes:
+      toolsets:
+        prometheus/metrics:
+          enabled: true
+          config:
+            prometheus_url: "https://prometheus.example.com:9090"
+            headers:
+              Authorization: "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
+
+To avoid duplicating the secret in plain text, use a Kubernetes Secret and environment variables. See :ref:`Sharing Prometheus Auth Between Runner and Holmes <Managing Secrets>` for a step-by-step guide.
+
 Multi-cluster Setup
 -------------------
 
diff --git a/docs/setup-robusta/configuration-secrets.rst b/docs/setup-robusta/configuration-secrets.rst
@@ -63,3 +63,63 @@ You can now reference the environment variable elsewhere in your configuration u
     grafana_url: http://grafana.namespace.svc
 
 This setup keeps sensitive values out of your Helm files and version control, while still allowing them to be dynamically injected at runtime.
+
+Sharing Prometheus Auth Between Runner and Holmes
+==================================================
+
+When using an external Prometheus with authentication and HolmesGPT enabled, you need to configure the same credentials in two places:
+
+- ``globalConfig.prometheus_auth`` — used by the Robusta runner
+- ``holmes.toolsets.prometheus/metrics.config.headers.Authorization`` — used by HolmesGPT
+
+To avoid duplicating secrets in plain text, store the credential once in a Kubernetes Secret and reference it from both components:
+
+**1. Create the Kubernetes Secret**
+
+.. code-block:: bash
+
+  kubectl create secret generic prometheus-auth-secret -n robusta \
+    --from-literal=auth="Basic dXNlcm5hbWU6cGFzc3dvcmQ="
+
+**2. Reference it from both the runner and Holmes**
+
+.. code-block:: yaml
+
+  runner:
+    additional_env_vars:
+      - name: PROMETHEUS_AUTH
+        valueFrom:
+          secretKeyRef:
+            name: prometheus-auth-secret
+            key: auth
+
+  holmes:
+    additionalEnvVars:
+      - name: PROMETHEUS_AUTH
+        valueFrom:
+          secretKeyRef:
+            name: prometheus-auth-secret
+            key: auth
+
+**3. Use the environment variable in both configs**
+
+.. code-block:: yaml
+
+  globalConfig:
+    prometheus_url: "https://prometheus.example.com:9090"
+    prometheus_auth: "{{ env.PROMETHEUS_AUTH }}"
+
+  holmes:
+    toolsets:
+      prometheus/metrics:
+        enabled: true
+        config:
+          prometheus_url: "https://prometheus.example.com:9090"
+          headers:
+            Authorization: "{{ env.PROMETHEUS_AUTH }}"
+
+This way the secret is stored once in Kubernetes and injected into both the runner and Holmes at runtime.
+
+.. note::
+
+   Both the runner and Holmes need the environment variable injected separately because they run as separate deployments. The ``runner.additional_env_vars`` injects into the runner pod, while ``holmes.additionalEnvVars`` injects into the Holmes pod.
diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml
@@ -24,6 +24,10 @@ automountServiceAccountToken: true
 enableHolmesGPT: false
 
 # see https://docs.robusta.dev/master/user-guide/configuration.html#global-config and https://docs.robusta.dev/master/configuration/additional-settings.html#global-config
+# NOTE: If using external Prometheus with auth and HolmesGPT, you must also configure
+# holmes.toolsets.prometheus/metrics.config.headers.Authorization with the same credentials.
+# See https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html for how to
+# avoid duplicating secrets using Kubernetes Secrets and environment variables.
 globalConfig:
   check_prometheus_flags: true
   grafana_url: ""
