Is it unreasonable to store a secret in InlineManifests

[nickdavies]

I am just starting out with talos linux and I was wondering if it would be considered bad practice (and if so why) for me to patch a secret that I need for bootstrapping the cluster (eg the flux github private key or my 1password-connect auth keys) into my machine config?

I was planning on doing something like:

# First generate my normal non-sensitive config
$ talosctl gen config --output-type controlplane --output config-i-will-commit.yaml ... # with my non-sensitive patches etc.

# Now when I want to apply run:
$ talsoctl machineconfig patch config-i-will-commit.yaml --patch "@flux-secret.yaml" --patch "@1pass-connect-secret.yaml" -o private-config.yaml

$ talosctl apply -f private-config.yaml ...

The content of flux-secret.yaml would look something like:

apiVersion: v1
kind: Secret
metadata:
  name: homelab-auth
  namespace: flux-system
stringData:
  identity: |
     -----BEGIN PRIVATE KEY-----
     ...
     -----END PRIVATE KEY-----
   identity.pub: |
      ...
   known_hosts: github.com ...

and similar for the 1password one where I store the credentials for setting up onepassword-connect to talk to the 1password API and external-secrets operator to talk to onepassword-connect.

This feels tempting because it means I can have a single step bootstrap but I want to make sure this isn't a terrible idea from a security perspective.

I saw in #9288 it looks like you can download the spec back again, would that include these secrets that I am sending and if so who is allowed to make that API call?