Extraconf configmap contains secrets

[kimkil94]

Hello,
We are using S3 as persistence storage for DocumentServer. For extraconf parameters this guide leads us to use ConfigMap. Is there another way to handle those secrets to not store them in ConfigMap as plaintext? Its not very secure when you are using IaC and need to store "local.json" with extraconf params in Git as well.

{
    "storage": {
                  "name": "storage-s3",
                  "fs": {
                          "folderPath": "",
                          "urlExpires": 900,
                          "secretString": "XXXXXXXXXXX"
                  },
                  "region": "us-west-2",
                  "endpoint": "https://s3.us-west-2.amazonaws.com/",
                  "bucketName": "XXXXXXXXXX",
                  "storageFolderName": "files",
                  "urlExpires": 604800,
                  "accessKeyId": "AKIAXXXXyyyyyyy",
                  "secretAccessKey": "XXXXXyyyyy",
                  "sslEnabled": false,
                  "s3ForcePathStyle": false,
                  "externalHost": ""
    }
}

Thank you in advance

[GeorgeONLYOFFICE]

Hello,

To solve this issue you can keep either the entire encrypted local.json file on git or just the required keys values. For encryption/decryption in a cluster you can use either [Sealed Secrets] https://github.com/bitnami-labs/sealed-secrets or a more-recommended [Mozilla SOPS] https://github.com/getsops/sops