Unable to provide webhook api_key auth values as secret

[nickperkins]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Cloud project.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When a webhook requires authentication using an api key, this key has to be supplied in the kratos config file. Some other config values can be supplied via a secret and are not included in the ConfigMap generated by the Helm chart, but these values currently can not be provided in this way.

No matter how we try to configure this value in the helm chart, it will always be included in the ConfigMap.

Reproducing the bug

Deploy kratos requiring api_key authentication for a webhook. Example config section below:

    recovery:
      enabled: true
      lifespan: 1h
      ui_url: https://auth.platform/recovery
    registration:
      after:
        default_browser_return_url: https://auth.platform
        oidc:
          hooks:
          - hook: session
        password:
          hooks:
          - config:
              auth:
                config:
                  in: header
                  name: x-api-key
                  value: THIS_VALUE_SHOULD_BE_SECRET
                type: api_key
              body: file:///etc/config/register.jsonnet
              method: POST
              url: https://accounts.platform/api/webhooks/registration
            hook: web_hook
          - hook: session

Relevant log output

No response

Relevant configuration

No response

Version

v0.8.0-alpha.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

[Demonsthere]

Hi there! I think you should be able to use our Env variables to workaround this. Basically, each config option can be passed as an env to ory apps, so

    registration:
      after:
        password:
          hooks:
          - config:
              auth:
                config:
                  value: THIS_VALUE_SHOULD_BE_SECRET

Would be SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS (can be seen in the Reference docs

Now, with this you could use the extraEnv chart parameter to provide this configuration to be read from a secret

extraEnvs:
  - name: SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS
    valueFrom:
      secretKeyRef:
        name: kratos-extra-secrets
        key: SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS

However, with this approach you need to deliver and manage this secret yourself 😉

[Demonsthere]

@nickperkins did the mentioned solution work for you?