Remove dockerconfigjson key from values

Question

Remove dockerconfigjson key from values

R-omk opened this issue 2 years ago · comments

dockerconfigjson key contains sensitive data, such data should never be present in values.

Instead, there should be a list with secret names, as per best practice.
imagePullSecrets: []

Andrew Kluev · Answer 1 · Fri Dec 02 2022 22:19:43 GMT+0800 (China Standard Time)

Completely disagree, the dockerconfigjson value can be provided through command line and not stored in any your files. All that this value do it's creating an Secret which contains that data and pass that Secret to imagePullSecrets of podTemplate.

But it looks good to add ability to pass some "external" secret to imagePullSecrets.

What do you thing about it?

R-omk · Answer 2 · Fri Dec 02 2022 23:20:53 GMT+0800 (China Standard Time)

add ability to pass some "external" secret

it definitely needs to be done

All that this value do it's creating an Secret which contains that data

At the same time, it will be saved along with a release of the chart. This may be allowed at the development stage, but it is not customary to add passwords and other secrets to the chart values.

Any sensitive data is usually provided separately from a chart releases. Often other operators or tools (via vault managers) are involved in the delivery of secrets during the ci/cd process.

As a bonus, I can show how create pull secret before deploy some release during develop.

prepare:
	kubectl --context=$(kube_context) --namespace=$(install_namespace) \
	create secret generic registry-pull-secret \
    --from-file=.dockerconfigjson=$(HOME)/.docker/config.json \
    --type=kubernetes.io/dockerconfigjson || /bin/true

R-omk · Answer 3 · Tue Jun 20 2023 22:47:34 GMT+0800 (China Standard Time)

@kluevandrew
this should work without condition