You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have created a BitwardenSecret with one item in the map, and the end result secret has literally every secret from my secret manager in it (the key being the secret's UUID), which is a non-trivial number of items.
I have certain tooling that expects exact key format for the secret, and having a whole bunch of UUID keys in the secret will be problimatic for that tooling, let alone the security implications of having all those extra secret values lying around.
This line is one problem line, adding ALL secrets tothe output secret. This would be fine on its own were it cleaned up, but ApplySecretMap run directly after it on the secret, only updates the k8s secret to have a key/value pair with a sane name instead of the UUID.
A more sane approach would be to pass the secrets fetched directly to ApplySecretMap instead of setting it on the k8s secret in UpdateSecretValues.
The text was updated successfully, but these errors were encountered:
After making the change mentioned, the tests failed. Fixing the tests, I have come to the conclusion that this is intended behavior? If so, I think this is not a good decision, and there should at minimum be an option to disable this functionality. in a manner of least privilage, Secrets should be exposed as little as possible, and this was exposing EVERY secret to a given namespace.
I have created a BitwardenSecret with one item in the map, and the end result secret has literally every secret from my secret manager in it (the key being the secret's UUID), which is a non-trivial number of items.
I have certain tooling that expects exact key format for the secret, and having a whole bunch of UUID keys in the secret will be problimatic for that tooling, let alone the security implications of having all those extra secret values lying around.
This line is one problem line, adding ALL secrets tothe output secret. This would be fine on its own were it cleaned up, but ApplySecretMap run directly after it on the secret, only updates the k8s secret to have a key/value pair with a sane name instead of the UUID.
A more sane approach would be to pass the secrets fetched directly to ApplySecretMap instead of setting it on the k8s secret in UpdateSecretValues.
The text was updated successfully, but these errors were encountered: