Use a Secret to store S3 keys in K8S deployment

- Passing the access and secret keys directly as environment variables can inadvertently leak them in a multitenant system, as anyone with the `view` ClusterRole or higher on the namespace will have the ability to read the spec of the `Job`. - Instead, create a secret with the keys and mount them as environment variables from there.
minio · Oct 17, 2023 · 9ecfed7 · 9ecfed7
1 parent 25d2113
commit 9ecfed7
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/k8s/helm/templates/job.yaml b/k8s/helm/templates/job.yaml
@@ -28,9 +28,15 @@ spec:
           - name: WARP_REGION
             value: {{ .Values.warpConfiguration.s3ServerRegion | quote }}
           - name: WARP_ACCESS_KEY
-            value: {{ .Values.warpConfiguration.s3AccessKey | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "warp.fullname" . }}-credentials
+                key: access_key
           - name: WARP_SECRET_KEY
-            value: {{ .Values.warpConfiguration.s3SecretKey | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "warp.fullname" . }}-credentials
+                key: secret_key
       {{- if .Values.serverResources }}
         resources: {{- toYaml .Values.serverResources | nindent 12 }}
       {{- end }}

diff --git a/k8s/helm/templates/secret.yaml b/k8s/helm/templates/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "warp.fullname" . }}-credentials
+  labels:
+    {{- include "warp.labels" . | nindent 4 }}
+data:
+  access_key: {{ .Values.warpConfiguration.s3AccessKey | b64enc }}
+  secret_key: {{ .Values.warpConfiguration.s3SecretKey | b64enc }}