Environent variables shown even if mounted from secretKeyRef #3641

cf-sewe · 2025-07-17T14:13:15Z

cf-sewe
Jul 17, 2025

I am puzzled with why environment variable values are shown by Headlamp, even though they are mounted via secretKeyRef and the Headlamp service account has no access to secrets nor permission to run exec.

I only found this PR: #2728. It looks OK, because it actually would hide secret values by default at least.
But with the current implementation, values are shown always and as clear text.

More concrete questions are:

Which PR changed the behaviour (where is this change implemented). Maybe it contains the motivation for this to understand if this is a bug or a feature.
How can we ensure secrets are not exposed by Headlamp?

cf-sewe · 2025-07-17T14:22:01Z

cf-sewe
Jul 17, 2025
Author

Or does it show the key used in the env definition? In my case key equals password (for a test instance), so maybe I draw wrong conclusion. But I think if thats the case, this UX could be improved to better show this is from a secret.

        - name: spring.datasource.password
          valueFrom:
            secretKeyRef:
              name: example-mariadb
              key: example

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Environent variables shown even if mounted from secretKeyRef #3641

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Environent variables shown even if mounted from secretKeyRef #3641

Uh oh!

Uh oh!

cf-sewe Jul 17, 2025

Replies: 1 comment

Uh oh!

Uh oh!

cf-sewe Jul 17, 2025 Author

cf-sewe
Jul 17, 2025

cf-sewe
Jul 17, 2025
Author