Skip to content

fix(minio): source local-dev MinIO credentials from a Secret (Kubescape C-0012) #2585

Description

@devantler

🤖 Generated by the Daily AI Engineer

Problem

The local-dev MinIO Deployment (k8s/providers/docker/infrastructure/controllers/minio/deployment.yaml) hardcodes MINIO_ROOT_USER=minio / MINIO_ROOT_PASSWORD=minio-local-development-only as plaintext env values. Kubescape flags it as C-0012 (applications credentials in configuration files) — with the justified-exception wiring landing via #2584 it is the single residual NSA finding in the CI scan, and the bucket-provisioning Job in the same directory shares the credential.

Blast radius is small (Docker test-bed only; prod uses the Hetzner provider and does not deploy this MinIO), but plaintext credentials in git manifests are exactly what C-0012 exists to catch, and the finding permanently depresses the CI score floor.

Proposed direction

Fix at the root rather than except: move the credential into a Kustomize secretGenerator (or a bootstrap-generated Secret) in the docker provider overlay and reference it via secretKeyRef/envFrom from both the Deployment and the Job. If the maintainer instead deems a well-known local-dev credential by-design, the alternative is a minimal kind+name ClusterSecurityException scoped to this one Deployment — but the root fix is preferred and mechanical.

Rough size

S — two manifests plus a generator stanza; validate with ksail workload validate and confirm the scan goes clean with --exceptions applied.

Part of #2447.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions