ADR-005: No plaintext secrets

Category: development Provenance: guided-ai

Decision

No sensitive configuration (passwords, API keys, certificates) may be stored as plaintext in CRDs, configuration files, or code. All sensitive data must be provided via Kubernetes Secret references.

Rationale

Security: Prevents secrets from appearing in Git, CRD manifests, or logs. GitOps compatible: Works seamlessly with secret management tools (Sealed Secrets, External Secrets Operator, Vault). Kubernetes native: Follows standard K8s patterns for secret handling. RBAC integration: Secret access controlled by K8s RBAC independently of CRD permissions. Audit trail: Secret access logged separately from CRD changes.

Agent Instructions

When adding any field for sensitive data (passwords, tokens, keys, certificates), always provide a way to reference it from a Kubernetes Secret (SecretKeySelector with secretName + key). Never accept or store plaintext secrets in CRD specs, ConfigMaps, or environment variables. Validate that secret references exist during reconciliation.