Secrets can be leaked in debug and on error

[rporres]

Secrets that are passed as values using the values option can be leaked when using debug mode or in case of error as the whole helm command will be printed.

I don't know if there's a good fix for this as I don't know if it can be determined which of those values come from drone env variables, e.g. DRONE_TAG or from custom secrets, e.g SECRET_PASSWORD in the README example

[rporres]

Hi @ipedrazas May I ask why is this not an issue or how can I work around it?

[ipedrazas]

The only way of not leaking secrets is not to set those values. If you need to inject values that are secrets, you have to accept that those values might be leaked.

I know it's not great, but I'd rather fix the process that patch a tool that should not be doing what it does.

Happy to leave the issue open, but I don't have any bandwidth to solve any issues with this repo right now.

[rporres]

Since leaking secrets is not an option for me as repos are public, for the moment the workaround is to create secrets in k8s beforehand, modify the chart to use them instead of the bare values and refer to those secrets from helm

I know it's not great, but I'd rather fix the process that patch a tool that should not be doing what it does.

What do you mean by "fix the process"?

Happy to leave the issue open, but I don't have any bandwidth to solve any issues with this repo right now.

I'd say it is better to leave it opened, as it would mark in a clearer fashion that issue is not resolved. I will send a PR to add a cautionary message in the README

As for the solution, I'm happy to give it a try. If you have any ideas of how this should be fixed, please share.

[ipedrazas]

That's exactly what I do, all the secrets are created by a different chart and pods consume them.

[rimusz]

@ipedrazas I do it the same way too, secrets come from the different chart. it also allows easier to maintain you main chart releases.