Comment 5 for bug 1865036

I am not entirely sure. By all means one should not put top secret stuff in metadata (due to other drawbacks there, like access by any process on that instance, potential ip address spoofing with ironic deploys etc.), but I could not find in docs that exact recommendation. Also, what is the purpose of request validation via metadata_proxy_shared_secret which eliminates the X-Forwarder-For issue already?