{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "minio.secretName" . }}
  labels:
    app: {{ template "minio.name" . }}
    chart: {{ template "minio.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  rootUser: {{ include "minio.root.username" . | b64enc | quote }}
  rootPassword: {{ include "minio.root.password" . | b64enc | quote }}

```

### MinIO Custom Access and Secret Keys using Docker secrets

To override MinIO's auto-generated keys, you may pass secret and access keys explicitly by creating access and secret keys as [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). MinIO server also allows regular strings as access and secret keys.

```
echo "AKIAIOSFODNN7EXAMPLE" | docker secret create access_key -

For testing purposes, here is [how to create self-signed certificates](https://github.com/minio/minio/tree/master/docs/tls#3-generate-self-signed-certificates).

## 2. Create Kubernetes secret

[Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret) are intended to hold sensitive information.

#### Fix it with `secrets.compare_digest()` { #fix-it-with-secrets-compare-digest }

But in our code we are actually using `secrets.compare_digest()`.

In short, it will take the same time to compare `stanleyjobsox` to `stanleyjobson` than it takes to compare `johndoe` to `stanleyjobson`. And the same for the password.

        with:
          role-to-assume: arn:aws:iam::992382829881:role/GHASecrets_gradle_all
          aws-region: "eu-central-1"
      - name: get secrets
        uses: aws-actions/aws-secretsmanager-get-secrets@v3
        with:
          secret-ids: |
            PERFORMANCE_DB_URL, gha/gradle/_all/PERFORMANCE_DB_URL
            PERFORMANCE_DB_USERNAME, gha/gradle/_all/PERFORMANCE_DB_USERNAME

    runs-on: ubuntu-latest
    steps:
      - name: Get Secrets
        uses: gradle/actions-internal/get-aws-secrets@v1
        if: (github.event_name != 'pull_request' && github.repository_owner == 'gradle') || github.event.pull_request.head.repo.full_name == github.repository
        with:
          role-to-assume: arn:aws:iam::992382829881:role/GHASecrets_gradle_all
          secret-ids: |

import secrets

from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials

app = FastAPI()

security = HTTPBasic()


def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
    current_username_bytes = credentials.username.encode("utf8")
    correct_username_bytes = b"stanleyjobson"
    is_correct_username = secrets.compare_digest(

        current_username_bytes, correct_username_bytes
    )
    current_password_bytes = credentials.password.encode("utf8")
    correct_password_bytes = b"swordfish"
    is_correct_password = secrets.compare_digest(
        current_password_bytes, correct_password_bytes
    )
    if not (is_correct_username and is_correct_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,

        with:
          role-to-assume: arn:aws:iam::992382829881:role/GHASecrets_gradle_all
          aws-region: "eu-central-1"
      
      - name: Get secrets
        uses: aws-actions/aws-secretsmanager-get-secrets@v3
        with:
          secret-ids: |
            PERFORMANCE_DB_URL, gha/gradle/_all/PERFORMANCE_DB_URL
            PERFORMANCE_DB_USERNAME, gha/gradle/_all/PERFORMANCE_DB_USERNAME

## 检查用户名 { #check-the-username }

以下是更完整的示例。

使用依赖项检查用户名与密码是否正确。

为此要使用 Python 标准模块 [`secrets`](https://docs.python.org/3/library/secrets.html) 检查用户名与密码。

`secrets.compare_digest()` 需要仅包含 ASCII 字符（英语字符）的 `bytes` 或 `str`，这意味着它不适用于像`á`一样的字符，如 `Sebastián`。

为了解决这个问题，我们首先将 `username` 和 `password` 转换为使用 UTF-8 编码的 `bytes` 。

然后我们可以使用 `secrets.compare_digest()` 来确保 `credentials.username` 是 `"stanleyjobson"`，且 `credentials.password` 是`"swordfish"`。