Credentials Stored in values.yaml

[zbindenren]

Summary

The Helm chart currently requires credentials to be specified directly in values.yaml, which is not a secure practice for production deployments.

Affected Files

• helm/cosi-driver/values.yaml
• helm/cosi-driver/templates/secret.yaml

Current Behavior

Credentials are defined as plain text values in values.yaml:

s3:
  accessKey: '0a1b2c3d4e5f6g7h8i9j'
  secretAccessKey: 'lkjhGFdsAPoiuYTreWQmnbVCxZlkjhGFdsAPoiuY+'
admin:
  username: 'sysadmin'
  password: 'mypassword'

These values are then base64-encoded into a Kubernetes Secret by templates/secret.yaml.

---
apiVersion: v1
kind: Secret
metadata:
  name: cloudian-cosi-secret
  labels:
    app.kubernetes.io/part-of: cloudian-cosi-driver
data:
  S3_ACCESS_KEY: {{ .Values.s3.accessKey | b64enc }}
  S3_SECRET_KEY: {{ .Values.s3.secretAccessKey | b64enc }}
  GROUP: {{ .Values.admin.group | b64enc }}
  ADMIN_USER: {{ .Values.admin.username | b64enc }}
  ADMIN_PASSWORD: {{ .Values.admin.password | b64enc }}

Security Concerns

1. Version Control Exposure: values.yaml is typically committed to git, exposing secrets in repository history
2. Helm Release Metadata: Values are stored in Helm release secrets, visible via helm get values
3. No Encryption at Rest: Credentials stored as plain text
4. Audit Trail: No way to track who accessed or modified credentials

Recommended Solutions

Support Existing Secret Reference (Minimal Change)

Allow users to reference a pre-created Kubernetes Secret instead of having the chart create one:

# values.yaml
existingSecret: '' # If set, use this secret instead of creating one