🤖 Generated by the Daily AI Engineer
Problem
The local-dev MinIO Deployment (k8s/providers/docker/infrastructure/controllers/minio/deployment.yaml) hardcodes MINIO_ROOT_USER=minio / MINIO_ROOT_PASSWORD=minio-local-development-only as plaintext env values. Kubescape flags it as C-0012 (applications credentials in configuration files) — with the justified-exception wiring landing via #2584 it is the single residual NSA finding in the CI scan, and the bucket-provisioning Job in the same directory shares the credential.
Blast radius is small (Docker test-bed only; prod uses the Hetzner provider and does not deploy this MinIO), but plaintext credentials in git manifests are exactly what C-0012 exists to catch, and the finding permanently depresses the CI score floor.
Proposed direction
Fix at the root rather than except: move the credential into a Kustomize secretGenerator (or a bootstrap-generated Secret) in the docker provider overlay and reference it via secretKeyRef/envFrom from both the Deployment and the Job. If the maintainer instead deems a well-known local-dev credential by-design, the alternative is a minimal kind+name ClusterSecurityException scoped to this one Deployment — but the root fix is preferred and mechanical.
Rough size
S — two manifests plus a generator stanza; validate with ksail workload validate and confirm the scan goes clean with --exceptions applied.
Part of #2447.
Problem
The local-dev MinIO Deployment (
k8s/providers/docker/infrastructure/controllers/minio/deployment.yaml) hardcodesMINIO_ROOT_USER=minio/MINIO_ROOT_PASSWORD=minio-local-development-onlyas plaintext env values. Kubescape flags it as C-0012 (applications credentials in configuration files) — with the justified-exception wiring landing via #2584 it is the single residual NSA finding in the CI scan, and the bucket-provisioning Job in the same directory shares the credential.Blast radius is small (Docker test-bed only; prod uses the Hetzner provider and does not deploy this MinIO), but plaintext credentials in git manifests are exactly what C-0012 exists to catch, and the finding permanently depresses the CI score floor.
Proposed direction
Fix at the root rather than except: move the credential into a Kustomize
secretGenerator(or a bootstrap-generated Secret) in the docker provider overlay and reference it viasecretKeyRef/envFromfrom both the Deployment and the Job. If the maintainer instead deems a well-known local-dev credential by-design, the alternative is a minimal kind+nameClusterSecurityExceptionscoped to this one Deployment — but the root fix is preferred and mechanical.Rough size
S — two manifests plus a generator stanza; validate with
ksail workload validateand confirm the scan goes clean with--exceptionsapplied.Part of #2447.