Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello! According to hydra docs, the dsn should be passed in `hydra.config.dsn` config or reference a value from secret to set it on [runtime](<https://github.com/ory/k8s/blob/master/docs/helm/hydra.md#set-up-dsn-variable-on-runtime>).
Is there any way to avoid passing DSN as environment variable?

We pass it through as a Secret, which is then masked from being displayed as a plaintext env var from `kubectl describe pod` etc if that's the concern?
```      env:
        - name: DSN
          valueFrom:
            secretKeyRef:
              name: hydra
              key: dsn```

That's correct, however if you execute the container, dsn is visible as an env var in plaintext

If someone has exec'd into your container they'll be able to see the DSN no matter where it'll be. (For example, they could just run `cat /etc/config/hydra.yaml` ) - You'd probably have bigger security concerns if someone malicious had got that far into your system too.

If executing is a concern, you should look into RBAC so that users are unable to exec within certain namespaces