[Feature Request] Use a Kubernetes secret to protect the OIDC client secret #236
Description
Ideally, when we configure authentication to Temporal Web, we shouldn't pass the plaintext client secret as a Helm value but instead pass the name of the Kubernetes Secret which contains the client secret.
Right now, all of .Values.web.config is simply just dumped into a ConfigMap [1] then mounted to the Deployment [2]. Temporal Web reads from this configuration file [3].
Some initial ideas:
- Maybe we should be able to create a Kubernetes Secret separately that contains the entire configuration file and pass its name as a Helm value. Then we can mount the Secret in the web Deployment.
- We could possibly also just put the client secret in the Kubernetes secret (as opposed to the entire configuration file) though I haven't thought through exactly how that'd look in terms of templates.
[1] https://github.com/temporalio/helm-charts/blob/master/templates/web-configmap.yaml
[2] https://github.com/temporalio/helm-charts/blob/master/templates/web-deployment.yaml
[3] https://github.com/temporalio/web/blob/master/server/auth/index.js