Store database password in Secret

[leihchen]

Description: https://github.com/operate-first/curator/blob/01503fcc88d578fb0b9da7a9f00d1e332bd0de38/Documentation/config/config.env#L8 The database password is passed as plain text in configMap. Considering using Secret?

[skanthed]

We are already passing all environment variables to the config map generator and that all are converted into secrets. Once we have the database table we will make sure over there to keep the type.

[leihchen]

This is still an unsolved issue. Database password is visible as plaintext in configMap: https://console-openshift-console.apps.smaug.na.operate-first.cloud/k8s/ns/koku-metrics-operator/configmaps/backup-config-kffbgh9f46.

[larsks]

@leihchen Can you clarify what the problem is? The contents of secrets and configmaps in kubernetes (or openshift) are always visible as plaintext. If you have access to the namespace that contains the data, you can see it.

If the password is being stored in plaintext in this repository that is a problem, but otherwise it sounds like things are behaving as designed.

[leihchen]

@larsks I was suggesting using Secret to store database password instead of configMap.

[larsks]

That's fine, as long as you realize that secrets also store information as plain text. By default there's no functional difference between the two. The advantage to using a secret is primarily informational (it tells you, "this information should be treated carefully"), and because by having a separate resource type you can apply difference access policies, etc. to them. But simply moving from a configmap to a secret doesn't really get you anything in terms of security.

[leihchen]

OK. Thank you!