Remove dockerconfigjson key from values
R-omk opened this issue · comments
dockerconfigjson
key contains sensitive data, such data should never be present in values.
Instead, there should be a list with secret names, as per best practice.
imagePullSecrets: []
Completely disagree, the dockerconfigjson value can be provided through command line and not stored in any your files. All that this value do it's creating an Secret which contains that data and pass that Secret to imagePullSecrets of podTemplate.
But it looks good to add ability to pass some "external" secret to imagePullSecrets.
What do you thing about it?
add ability to pass some "external" secret
it definitely needs to be done
All that this value do it's creating an Secret which contains that data
At the same time, it will be saved along with a release of the chart. This may be allowed at the development stage, but it is not customary to add passwords and other secrets to the chart values.
Any sensitive data is usually provided separately from a chart releases. Often other operators or tools (via vault managers) are involved in the delivery of secrets during the ci/cd process.
As a bonus, I can show how create pull secret before deploy some release during develop.
prepare:
kubectl --context=$(kube_context) --namespace=$(install_namespace) \
create secret generic registry-pull-secret \
--from-file=.dockerconfigjson=$(HOME)/.docker/config.json \
--type=kubernetes.io/dockerconfigjson || /bin/true
@kluevandrew
this should work without condition