The Best Practices for the Kubernetes Provider V2 document suggests to let Spinnaker deploy secrets. However, I’m finding that when I do that, I can easily see the secrets in cleartext in Deck – For example, by clicking on the
YAML link in the stage that deployed the secret (it’d be under the
kubectl.kubernetes.io/last-applied-configuration annotation). Is this a problem with the way Spinnaker is configured or is this working as intended?
I’d love to use the functionality that comes from using secrets as first-class artefacts on Spinnaker, but I’m not convinced it’s worth the risks. Apart from this feature request to improve the way secrets are handled, which only has two s (one of which is mine), no-one else seems to be concerned about this – So maybe I’m missing something here?
I know I can get an external tool to
kubectl apply the secret, and I’ve got it working with Kapitan, but if the best practice is to let Spinnaker do that I’d expect that approach to be secure.