couchdb-helm icon indicating copy to clipboard operation
couchdb-helm copied to clipboard

Published 20 hours ago verified publisher icon apache

Option to project secrets as files

Open bryopsida opened this issue 9 months ago • 0 comments

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Several security benchmarking tools look for patterns like this.

            - name: "ADMINHASH"
              valueFrom:
                secretKeyRef:
                  name: somename
                  key: adminHash

And mark a finding due to policies such as:

  • https://avd.aquasec.com/compliance/kubernetes/cis-kubernetes-benchmarks-v1.23-1.23/5.4.1/
  • https://www.tenable.com/policies/cloud-security/AC_K8S_0051
  • https://www.tenable.com/audits/items/DISA_STIG_Kubernetes_v1r11.audit:fdb2906c002a74a6f822c62bef0d8ed0

Describe the solution you'd like A clear and concise description of what you want to happen.

It would be nice if there was an option/toggle such as.

secretsAsFiles: true

That when enabled removed all usage such as

            - name: "ADMINHASH"
              valueFrom:
                secretKeyRef:
                  name: somename
                  key: adminHash

This would be off/disabled by default to preserve existing behavior and allow users to opt in if they want it.

I'm willing to take on the PR to do this but may need some guidance on the preferred way to wire in the values as files.

From looking at the manifests the following properties would need to be provided through files.

  • COUCHDB_ERLANG_COOKIE
  • COUCHDB_SECRET
  • COUCHDB_PASSWORD
  • COUCHDB_USER
  • ADMINUSERNAME
  • ADMINHASH

bryopsida avatar May 17 '24 22:05 bryopsida