Tokens security #1701
Description
Hello,
I've noticed both hetzner cloud API token and hetzner robot user & password need to be present as k8s secrets inside the managed k8s cluster to keep hccm happy. At the same time both these tokens have full privileges across hetzner cloud project and hetzner robot account including the ability to cancel all the bare metal servers in no time.
I don't feel confident by storing full access API keys inside the infrastructure. What options do we have to avoid that, or am I missing something?