[I] Option to project secrets as files [couchdb-helm]

Fri, 17 May 2024 15:53:45 -0700 


bryopsida opened a new issue, #140:
URL: https://github.com/apache/couchdb-helm/issues/140

   <!-- Thanks for filing an issue! Before hitting the button, please answer 
these questions. It's helpful to search the existing GitHub issues first. It's 
likely that another user has already reported the issue you're facing, or it's 
a known issue that we're already aware of.
   
   Describe *in detail* the feature/behavior/change you'd like to see.
   
   Be ready for followup questions, and please respond in a timely manner. If 
we can't reproduce a bug or think a feature already exists, we might close your 
issue.  If we're wrong, PLEASE feel free to reopen it and explain why.
   -->
   
   **Is your feature request related to a problem? Please describe.**
   A clear and concise description of what the problem is. Ex. I'm always 
frustrated when [...]
   
   Several security benchmarking tools look for patterns like this.
   
   ``` yaml
               - name: "ADMINHASH"
                 valueFrom:
                   secretKeyRef:
                     name: somename
                     key: adminHash
   ```
   
   And mark a finding due to policies such as:
   - 
https://avd.aquasec.com/compliance/kubernetes/cis-kubernetes-benchmarks-v1.23-1.23/5.4.1/
   - https://www.tenable.com/policies/cloud-security/AC_K8S_0051
   - 
https://www.tenable.com/audits/items/DISA_STIG_Kubernetes_v1r11.audit:fdb2906c002a74a6f822c62bef0d8ed0
   
   
   **Describe the solution you'd like**
   A clear and concise description of what you want to happen.
   
   It would be nice if there was an option/toggle such as.
   
   `secretsAsFiles: true`
   
   That when enabled removed all usage such as
   
   ``` yaml
               - name: "ADMINHASH"
                 valueFrom:
                   secretKeyRef:
                     name: somename
                     key: adminHash
   ```
   
   This would be off/disabled by default to preserve existing behavior and 
allow users to opt in if they want it.
   
   
   I'm willing to take on the PR to do this but may need some guidance on the 
preferred way to wire in the values as files.
   
   From looking at the manifests the following properties would need to be 
provided through files.
   
   - COUCHDB_ERLANG_COOKIE
   - COUCHDB_SECRET
   - COUCHDB_PASSWORD
   - COUCHDB_USER
   - ADMINUSERNAME
   - ADMINHASH
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to