Open pedroamantecon opened 7 months ago
@pedroamanteconyou mean to have is as a k8s secret ? or totally external to system
Yeah as a k8s secret
@pedroamantecon you want the secret to be deployed by the user separately from trivy-operator
deployment, or it will be deployed as part of trivy-operator
deployment ?
Separately. In my case specifically, I deploy secrets using KSOPS
Fwiw, I publish all my kubernetes manifests to git repos as well. When I need to plant secrets in a yaml file, in CI I'll use a tool like j2cli to do environment variable substitution in the yaml file to plant the secret there from my CI job's environment variables. Which is a much simpler solution than requiring every kubernetes tool I use to have an option to respect an externally managed Secret.
Not necessarily saying it shouldn't also be made to respect externally managed Secrets. But there are other options for GitOps patterns for kubernetes manifests that don't involve putting the actual secret in the repo.
As the GitOps approach becomes more prevalent, having a hardcoded webhook url in a repository is not ideal and certainly not secure. I think having the ability to store any sensitive information as an external secret or encrypted in any way would be a logical step.