Feature request: Sensitive Input
lukasmrtvy opened this issue · 0 comments
lukasmrtvy commented
Is your feature request related to a problem? Please describe.
In cases where You need to boostrap cluster ( empty k8s without any secret management ) is needed to somehow deploy initial secrets.
Rendered template in example https://github.com/banzaicloud/terraform-provider-k8s#usage is visible in terraform plan, thats OK, but when You want to deploy (initial)secrets ( my use case ), these will be visible in stdout.
Describe the solution you'd like to see
Something like sensitive_content in k8s_manifest would be nice step to keep these secrets hidden and keep backwards compatibility.
For example:
cat << EOF > secret.yaml.tpl
---
apiVersion: v1
kind: Namespace
metadata:
name: bank-vaults
---
apiVersion: v1
kind: Secret
metadata:
name: postgres-secret
namespace: bank-vaults
data:
PGPASSWORD: ${TEMPLATE_PGPASSWORD}
EOF
data "template_file" "file" {
template = file("secret.yaml.tpl")
vars = var.template_data
}
resource "k8s_manifest" "deployment" {
sensitive_content = data.template_file.file.rendered
}
Describe alternatives you've considered
none, even 3rdparty shell providers does this...