[security] move sensitive config from ConfigMap to Secret#150
Open
siddimore wants to merge 3 commits intolivekit:masterfrom
Open
[security] move sensitive config from ConfigMap to Secret#150siddimore wants to merge 3 commits intolivekit:masterfrom
siddimore wants to merge 3 commits intolivekit:masterfrom
Conversation
Egress and ingress charts stored API keys, secrets, and cloud storage credentials (S3, GCS, Azure) in ConfigMaps, which are not encrypted at rest and are visible to anyone with namespace read access. Changes: - egress: add Secret template, deployment reads config from secretKeyRef when storeSecretsInSecret.enabled (default: true), with existingSecret support for external secret managers (Vault, ESO) - ingress: same pattern as egress for api_key/api_secret - livekit-server: enable storeKeysInSecret by default (mechanism already existed but was disabled) All charts retain backward compatibility: set storeSecretsInSecret.enabled to false to keep using ConfigMap.
- Wrap egress/ingress configmap.yaml with conditional guard so ConfigMap is NOT created when storeSecretsInSecret is enabled (prevents secrets from existing in both ConfigMap and Secret) - Add storeSecretsInSecret documentation to egress-sample.yaml, ingress-sample.yaml, and examples/egress.yaml - Add labels to configmap templates for consistency
siddimore
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Egress and ingress charts store API keys, secrets, and cloud storage credentials (S3, GCS, Azure) in ConfigMaps, which are not encrypted at rest and are visible to anyone with namespace read access.
Changes:
All charts retain backward compatibility: set storeSecretsInSecret.enabled to false to keep using ConfigMap.