- in SSO 2.x, config was provided as a YAML decorator. The !env directive was not supported there. The docs mentioned a workaround to use a template file, and post-process it with the envsubst command, resulting in secrets stored in plain text, as you noted.
- in SSO 3.x (since 3.0.1 actually), we now load config through a specific "yaml bridge", and we do support the !env directive there. So there shouldn't be any secrets in plain text anymore. We just realized that we forgot to update documentation for this. Let me file a ticket.
|