Management of K8s secrets leaks data in the Object that creates the Secret.
Kubernetes apply will publish the secret data in the annotation (see wontfix https://github.com/kubernetes/kubernetes/issues/29923). This makes sense on the Secret itself, however provider-kubernetes includes the secret data in the Object annotations and in spec.forProvider.manifest
What problem are you facing?
Management of K8s secrets leaks data in the Object that creates the Secret.
Kubernetes
apply
will publish the secret data in the annotation (see wontfix https://github.com/kubernetes/kubernetes/issues/29923). This makes sense on the Secret itself, however provider-kubernetes includes the secret data in theObject
annotations and inspec.forProvider.manifest
PR https://github.com/crossplane-contrib/provider-kubernetes/pull/193 addressed this in the object's
status
, but we are still leaking data in the managedObject
.For example, creating the following secret using a patch from another Secret will leak the data in
spec.forProvider.manifest
:How could Crossplane help solve your problem?
I'm not sure what the proper solution is, some ideas I had:
SecretRef
that pulls selected keys during the Observe loop.Secret
ObjectpatchesFrom
to hide fields in the forProvider