Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ Official open source Helm charts for Graylog.

## Available modules

* charts/graylog - official Graylog helm chart
* docs - documentation for testing and configuration guides
* examples - example values files and Kubernetes manifests
* [charts/graylog](charts/graylog/README.md) - official Graylog helm chart
* [docs](docs/) - documentation for testing and configuration guides
* [examples](/examples/) - example values files and Kubernetes manifests

---
<small>&copy; 2025 <a href="https://graylog.org">Graylog, Inc.</a></small>
<small>&copy; 2026 <a href="https://graylog.org">Graylog, Inc.</a></small>
3 changes: 3 additions & 0 deletions charts/graylog/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ Then, configure `ingress.web.tls` and `ingress.config.issuer` with the name of a
and let `cert-manager` do the rest!

# Installation
## Pre Installation
> [!WARNING]
> If you are managing the deployment of this chart through GitOps (ArgoCD, Flux etc), you must manually generate the Graylog Secrets resource. Otherwise auto generated credentials will rotate after initial deployment. Refer to the [Graylog Secrets](../../docs/graylog-secrets.md) doc for requirements of that secret.

## Installing on Kubernetes

Expand Down
59 changes: 59 additions & 0 deletions docs/graylog-secrets.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Graylog Secrets

This guide explains how to configure the Kubernetes secrets required by the Graylog Helm chart. Graylog requires a Kubernetes Secret object containing credentials for authentication and backend service access. You can either let the Helm chart create this secret for you or manage it externally and reference it in your values file.

## Required Keys
`GRAYLOG_MONGODB_URI`: The full MongoDB URI, including the user, password, address, port, and database name for Graylog to use.

Example: `mongodb://admin:some-password@mongodb-1-svc.graylog-helm-1.svc.cluster.local:27017/graylog_helm_1?authSource=admin`

`GRAYLOG_ROOT_USERNAME`: The initial admin user name you will use to login.

`GRAYLOG_PASSWORD_SECRET`: The initial admin password you will use to login.

`GRAYLOG_ROOT_PASSWORD_SHA2`: The SHA256 hash of the password you set for `GRAYLOG_PASSWORD_SECRET`
```bash
$ echo -n "my-password" | sha256sum
6fa2288c361becce3e30ba4c41be7d8ba01e3580566f7acc76a7f99994474c46
```

## Optional Keys

`GRAYLOG_S3_CLIENT_DEFAULT_SECRET_KEY`: Secret key for S3 backend. Only required if using features that require S3 access via keys.

`GRAYLOG_S3_CLIENT_DEFAULT_ACCESS_KEY`: Access key for S3 backend. Only required if using features that require S3 access via keys.

## Secret Example

The following is an example of a valid Kubernetes Secret managed externally from the Graylog Helm chart.
```yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-graylog-secret
data:
GRAYLOG_MONGODB_URI: bW9uZ29kYjovL2FkbWluOnNvbWUtcGFzc3dvcmRAbW9uZ29kYi0xLXN2Yy5ncmF5bG9nLWhlbG0tMS5zdmMuY2x1c3Rlci5sb2NhbDoyNzAxNy9ncmF5bG9nX2hlbG1fMT9hdXRoU291cmNlPWFkbWluJnJlcGxpY2FTZXQ9bW9uZ29kYi0x
GRAYLOG_ROOT_USERNAME: bXktZ3JheWxvZy11c2Vy
GRAYLOG_PASSWORD_SECRET: bXktZ3JheWxvZy1wYXNzd29yZA==
GRAYLOG_ROOT_PASSWORD_SHA2: MGFmMzhhYzUyOWU2NTMxNTJhYmM5MmNkMjY5OGI3Yjc1MTM3NjliY2M3OWRiMjIyODVhMTMxNTM0ZjQ2ZWVlYQ==
GRAYLOG_S3_CLIENT_DEFAULT_SECRET_KEY: ""
GRAYLOG_S3_CLIENT_DEFAULT_ACCESS_KEY: ""
```

## Setting Your Secret

In your own values file, set the name of your secret as the `global.existingSecretName` parameter.
```yaml
global:
existingSecretName: my-graylog-secret
```

**OR**

Alternatively, set the secret name via the Helm CLI:

```bash
helm upgrade --install some-graylog charts/graylog/ \
--set global.existingSecretName=my-graylog-secret
```
Loading