banzaicloud/terraform-provider-k8s

Feature request: Sensitive Input

lukasmrtvy opened this issue · 0 comments

Is your feature request related to a problem? Please describe.
In cases where You need to boostrap cluster ( empty k8s without any secret management ) is needed to somehow deploy initial secrets.
Rendered template in example https://github.com/banzaicloud/terraform-provider-k8s#usage is visible in terraform plan, thats OK, but when You want to deploy (initial)secrets ( my use case ), these will be visible in stdout.

Describe the solution you'd like to see
Something like sensitive_content in k8s_manifest would be nice step to keep these secrets hidden and keep backwards compatibility.
For example:

cat << EOF > secret.yaml.tpl
---
apiVersion: v1
kind: Namespace
metadata:
  name: bank-vaults
---
apiVersion: v1
kind: Secret
metadata:
  name: postgres-secret
  namespace: bank-vaults
data:
 PGPASSWORD: ${TEMPLATE_PGPASSWORD}
EOF

data "template_file" "file" {
  template = file("secret.yaml.tpl")
  vars = var.template_data
}

resource "k8s_manifest" "deployment" {
  sensitive_content = data.template_file.file.rendered
}

Describe alternatives you've considered
none, even 3rdparty shell providers does this...