Okay, okay. It is not exactly hacker*proof* but definitely hacker resistant (you know like water resistant but not water proof). When we inject secrets into pods either via
- mounting,
- setting environment variables
- using a helm values file with secrets and env vars
- using CICD to inject while deployment
- most tidious way: read from vault but this requires a role_id, secret_id of vault to be against set in pod as environment variable or some other way. Circular problem.
- open up 2 shells
- In shell 1 open your bashrc file, set some export or env vars and save.
- Do `. /path/to/bashrc fiile' (notice the dot and a space after it)
- In shell 1 you can access your new environment variable
- In shell you cant or wont
- open up 2 shells
- in shell one set an environment variable in the shell export xyz=abc and see if you can access it. you do.
- In shell 2 you cant access the same.
- Mount secrets via vault or some place to some location in the pod /path/to/my/mount/vaultsecrets
- In your entrypoint.sh file for your app, somewhere before you start your app, add `. /path/to/my/mount/vaultsecrets`