From d1a08bd047c8dc3d83707ede47c02af6dfca6958 Mon Sep 17 00:00:00 2001 From: Jacques ROUSSEL Date: Fri, 10 Oct 2025 09:50:33 +0200 Subject: [PATCH] (egress) use secret instead of configmap Because the config.yaml contains secrets (S3 credentials, LiveKit API credentials), it is better to use a secret to avoid leaking secrets in the ArgoCD UI, for instance. --- egress/templates/deployment.yaml | 4 ++-- egress/templates/secret.yaml | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 egress/templates/secret.yaml diff --git a/egress/templates/deployment.yaml b/egress/templates/deployment.yaml index 4a8808a..32a71a4 100644 --- a/egress/templates/deployment.yaml +++ b/egress/templates/deployment.yaml @@ -17,7 +17,7 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} labels: {{- include "egress.selectorLabels" . | nindent 8 }} spec: @@ -34,7 +34,7 @@ spec: env: - name: EGRESS_CONFIG_BODY valueFrom: - configMapKeyRef: + secretKeyRef: name: {{ include "egress.fullname" . }} key: config.yaml ports: diff --git a/egress/templates/secret.yaml b/egress/templates/secret.yaml new file mode 100644 index 0000000..7aa275c --- /dev/null +++ b/egress/templates/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "egress.fullname" . }} +stringData: + config.yaml: | +{{ toYaml .Values.egress | indent 4 }}