We have a policy where kubernetes secrets are discouraged. Instead, it is expected to use vault-agent like injection of secrets via a mounted volume which contains a secret file which could be formatted as an env file (which could be loaded upon startup for example like: godotenv.Load() )
Temporal’s templated config file allows the configuration of the password via an environment variable which in turn is populated from a secret. By default I can see that the config file is mounted from a config map which makes it read only - so, init-containers cannot modify it.
Is it possible during startup to be able to additionally read an env-file containing the environment variables which could be injected by an init-container ?
What is the best-practice for achieving the above (not storing db password as a k8s secret)
I saw several past threads on this topic, but there didnt seem to be a conclusion. Hence this post.
One solution appears be to create an init-container that would create the static config file using the vault-agent injected database password - so the database password is directly in the config file and not in a secret. have any others used this ?