Secrets handling in Helm charts not safe

[themightylaz]

Hi,

Secrets handling in Helm charts are not encrypted.
Would it be possible to remove the process that creates secrets from the Helm charts.
In this case we could create sealed secrets manually as a separate process beforehand and Helm chart would be just responsible for deploying the application.

Best regards
//Lars

[mars-lan]

Could you review and see if this is covered by #1782 already?

[themightylaz]

Hi @mars-lan, my impression is that it fixes the issue with passwords verbatim in configmap and moves them to secret instead. We use sealed secrets (https://github.com/bitnami-labs/sealed-secrets) for our secrets, and I do not fully understand if the changes is allowing us to use that. When will #1782 get merged to master branch?

BR
//Lars

[shakti-garg-saxo]

HI @themightylaz,
There is only one secret, "GMS_SECRET" which we will be creating after #1782. The secret-template file for the same is under helm-chart, "datahub-gms".
we are currently auto-generating secret using "{{ randAlphaNum 10 | b64enc | quote }}". Is it possible to do the same in sealed-secrets or do we need to rely on Kubeseal to generate secret?

Thanks.

[mars-lan]

@themightylaz FYI #1782 has been merged now.

[fabiofilz]

Hi @shakti-garg-saxo,

As it is an auto-generating password that it will be used only in datahub and we won't need to store this password outside of the cluster so I think it is OK to keep in this way.

Thank you,
Fabio

[mars-lan]

What do you think, @themightylaz? Can we close this issue now?

[themightylaz]

Hi @mars-lan, initial checking looks good so closing issue, thanks for your help!