Support for mounting sensitive config values as secret volumes

[mhamann]

In all of the configuration examples, secrets (e.g. API keys) that are used directly by external-secrets in order to authenticate with a secrets backend (e.g. secrets manager, vault, etc) are attached to the pod via an environment variable.

Generally, it's recommended to mount secrets as files rather than environment variables, because that's a slightly better security posture. (One example from SO: https://stackoverflow.com/questions/51365355/kubernetes-secrets-volumes-vs-environment-variables). Secret values can also be changed without restarting the pod when mounted as a volume.

Is there a reason that external-secrets doesn't seem to support this? If not, are folks open to enabling either mechanism in a plugin-agnostic fashion?

[moolen]

Ideally, you wouldn't need any credentials at all and rely on the trust relationship of the underlying compute infrastructure.
I agree, i see the value to use files!

Is there a reason that external-secrets doesn't seem to support this?

AFAIK there was no demand for that, yet. It seems that this is a risk people are willing to accept.

If not, are folks open to enabling either mechanism in a plugin-agnostic fashion?

Sure!

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.