We use GitOps to manage our Kubernetes clusters, so we store the Helm values in a Git repo. To avoid having the access/refresh tokens stored in plaintext in that repo, we need to provide an existing Secret to the deployment. We provision the secret using an operator that takes a GPG-encrypted YAML file and creates a K8S secret from it.
While I was working on this chart, I also moved the access/refresh tokens out of the env into a secret (that is then mounted into the deployment). This is a bit more secure and allows RBAC measures to prevent cluster users from snooping on the token values.
Which issue this PR fixes if any
n/a
Special notes for your reviewer:
n/a
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
What this PR does / why we need it:
We use GitOps to manage our Kubernetes clusters, so we store the Helm values in a Git repo. To avoid having the access/refresh tokens stored in plaintext in that repo, we need to provide an existing Secret to the deployment. We provision the secret using an operator that takes a GPG-encrypted YAML file and creates a K8S secret from it.
This is pretty common practice and can be seen in other helm charts in the wild. For example, the Bitnami redis chart: https://github.com/bitnami/charts/blob/master/bitnami/redis/values.yaml#L120
While I was working on this chart, I also moved the access/refresh tokens out of the
env
into a secret (that is then mounted into the deployment). This is a bit more secure and allows RBAC measures to prevent cluster users from snooping on the token values.Which issue this PR fixes if any
n/a
Special notes for your reviewer:
n/a
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]