chen-keinan
commented
7 months ago @pedroamanteconyou mean to have is as a k8s secret ? or totally external to system
Open pedroamantecon opened 7 months ago
chen-keinan
commented
7 months ago @pedroamanteconyou mean to have is as a k8s secret ? or totally external to system
pedroamantecon
commented
7 months ago Yeah as a k8s secret
chen-keinan
commented
7 months ago @pedroamantecon you want the secret to be deployed by the user separately from trivy-operator deployment, or it will be deployed as part of trivy-operator deployment ?
pedroamantecon
commented
7 months ago Separately. In my case specifically, I deploy secrets using KSOPS
Starttoaster
commented
6 months ago Fwiw, I publish all my kubernetes manifests to git repos as well. When I need to plant secrets in a yaml file, in CI I'll use a tool like j2cli to do environment variable substitution in the yaml file to plant the secret there from my CI job's environment variables. Which is a much simpler solution than requiring every kubernetes tool I use to have an option to respect an externally managed Secret.
Not necessarily saying it shouldn't also be made to respect externally managed Secrets. But there are other options for GitOps patterns for kubernetes manifests that don't involve putting the actual secret in the repo.
As the GitOps approach becomes more prevalent, having a hardcoded webhook url in a repository is not ideal and certainly not secure. I think having the ability to store any sensitive information as an external secret or encrypted in any way would be a logical step.