Feature Request: Controller-side secret decryption at bundle preprocessing via vals

[rajiteh]

Is your feature request related to a problem?

Certain input values for a release defined in a fleet.yaml can contain sensitive data that should not be commited to git. A safer strategy would be to specify a reference to the secret in the fleet yaml for readability but resolve it from a secure location at run time.

Solution you'd like

Ability for the fleet controller to parse and decrypt secret references in the fleet.yaml at deploy time when it's preparing bundles. A generic secret processing backend such as https://github.com/helmfile/vals is idea for this as it supports configuration via environment variables.

Then the fleet controller deployment needs to be enriched with the required environment variables for vals library to resolve secrets from the appropriate backends. (https://github.com/helmfile/vals?tab=readme-ov-file#supported-backends)

Alternatives you've considered

No response

Anything else?

No response