The Proxy Injector supports taking parameters as a Secret, which would have made me believe that the injected sidecar would do the same, which is not the case.
When configuring the sidecar container, the ProxyInjector will always set the configuration of Gatekeeper as command line arguments,making the whole point of passing sensitive variables as a Secret moot.
In particular, these lines are problematic:
|
if config.ClientSecret != "" && annotations[constants.AnnotationPrefix+"client-secret"] == "" { |
|
configArgs = append(configArgs, "--client-secret="+config.ClientSecret) |
|
} |
What i would expect is that the ProxyInjector controller would create a separate Secret for the client-secret, and mount it as a VolumeMount inside the Gatekeeper container.
As it stands, this issue makes the whole premise of the {{- if eq .Values.proxyinjector.mount "secret" }} option inside the configuration of ProxyInjector pretty much useless ☹️
The Proxy Injector supports taking parameters as a Secret, which would have made me believe that the injected sidecar would do the same, which is not the case.
When configuring the sidecar container, the ProxyInjector will always set the configuration of Gatekeeper as command line arguments,making the whole point of passing sensitive variables as a Secret moot.
In particular, these lines are problematic:
ProxyInjector/internal/pkg/handler/create.go
Lines 199 to 201 in 63fc7ea
What i would expect is that the ProxyInjector controller would create a separate Secret for the
client-secret, and mount it as aVolumeMountinside the Gatekeeper container.As it stands, this issue makes the whole premise of the☹️
{{- if eq .Values.proxyinjector.mount "secret" }}option inside the configuration of ProxyInjector pretty much useless