Secrets at deploy: re-plumb a leaky deployment

Take a small Kubernetes-deployed service whose secret is baked into the image, committed as a base64 Secret, and injected as an env var — and re-plumb it so the secret enters only at runtime, is encrypted at rest and in git, and rotates without a pod restart. Prove every leak is closed with a concrete command, not a claim.

• Stand up a small service (your own or a starter) deployed to a local cluster (kind/minikube) that reads one secret (e.g. a DB password or API key). Deliberately wire it the wrong way first: bake the secret via Dockerfile ENV or --build-arg, commit a base64 Kubernetes Secret to a git repo, and inject the value as an environment variable.
• Demonstrate each leak before fixing: run `docker history` / `docker save` to recover the baked secret from an image layer, run `base64 -d` on the committed Secret to recover the plaintext, and trigger a crash or error so an error-tracker payload (or a captured /proc/<pid>/environ) shows the env value.
• Move the secret out of the image: rebuild with zero secret material in any layer (no ENV, no COPY .env, no --build-arg) and re-run docker history to prove the layer is clean. The image must promote staging-to-prod carrying no environment.
• Encrypt at rest: configure an EncryptionConfiguration on the API server (KMS-backed if available), then rewrite existing Secrets (e.g. kubectl get secrets -A -o json | kubectl replace -f -) and confirm via a raw etcd read that the value is now ciphertext, not plaintext.
• Make the committed artifact genuinely safe: replace the base64 Secret in git with a Sealed Secret (or pull from a manager via the External Secrets Operator). Prove the committed blob is ciphertext by attempting to decode it without the controller and failing.
• Switch injection from env var to a mounted file (tmpfs, mode 0400). Confirm the secret is absent from the container environment and /proc/<pid>/environ, and that a fresh crash dump no longer contains it.
• Rotate the secret and show the running pod picks up the new value in place via the mounted file — no pod restart — and that the application reloads it. Record the rotation latency.

• A before/after leak table: for each of the three original leaks (image layer, base64 git Secret, env crash dump), the exact command that exposed it before and the same command showing nothing usable after.
• Evidence that the production image contains no secret material in any layer (docker history output) and that etcd now stores the value as ciphertext (raw etcd read).
• The committed git artifact is a Sealed Secret (or ExternalSecret reference) that cannot be decoded without the in-cluster controller, shown by a failed decode attempt.
• A rotation demonstration: new value applied, running pod serves it with no restart, with the measured time-to-effect recorded.