How do we mask sensitive config information?

[tim-chaffin]

While reading the https://github.com/PacoVK/tapir/blob/main/docs/configuration.md file we are asked to set values which are sensitive by nature, such as BACKEND_AZURE_MASTER_KEY, AZURE_BLOB_CONNECTION_STRING, AUTH_CLIENT_SECRET and so on.

It's not clear in the docs how best to mask or secure these secrets. We could be doing a k8 namespace opaque secret, or something similar. But I'm unsure what works best with the container, when running in k8.

If you can help me understand how to implement a secret with Tapir, I'd be happy to add that to the docs as well.

[PacoVK]

Indeed secret injection was intentionally left quite open. Tapir needs the values as environment variables and depending on the actual runtime there are different approaches.

In K8s context you can use opaque secrets, you may also have a dedicated secret management (e.g. Hashicorp Vault, Aws secretmanager,...) that offer different ways to inject values as ENV to the pod during runtime. One common way in K8s could also be to go through external secrets operator which has quite some flexibility.

Hope that helps ✌️

[tim-chaffin]

Added a PR, if you'd like to include this documentation.

[PacoVK]

@all-contributors add @tim-chaffin for docs

[allcontributors]

@PacoVK

I've put up a pull request to add @tim-chaffin! 🎉