Brian Grant

KRM-driven infrastructure is infrastructure configured via the Kubernetes Resource Model, such as via https://github.com/GoogleCloudPlatform/k8s-config-connector or crossplane.io. Filed a specific issue to define or remove it: #3377.

We're unlikely to allow mounts. That won't work with packages fetched via the package orchestrator. We're considering how to pass arbitrary files as input. #3118 Network access may still be...

Yes, definitely as much as is practical we should recommend automatically rotated secrets: service accounts, workload identity, managed certs, and so on.

https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd mentions https://external-secrets.io/ Video: https://www.youtube.com/watch?v=SyRZe5YVCVk This is kind of like GitOps, but with a secret store as the storage system instead of git. Looks like Jenkins-X uses external secrets: https://jenkins-x.io/v3/devops/gitops/...

This controller includes a secret generator: https://github.com/mittwald/kubernetes-secret-generator

For completeness, kustomize supports secret generation plugins. https://github.com/kubernetes-sigs/kustomize/blob/master/examples/secretGeneratorPlugin.md Example plugin: https://github.com/viaduct-ai/kustomize-sops

External secrets was inducted into the CNCF sandbox: https://lists.cncf.io/g/cncf-toc/message/7273

We probably want a mechanism to help users not commit Secrets to git.

Thanks for the example, @delve! Each variant requires variant-specific inputs. If the image tag or digest is one of those inputs, how did you want to propagate a new value...

@delve What do you think about the approach of creating a package with all common attributes and the function pipeline (a "blueprint"), clone one copy of it per environment via...