Add shared Infisical auth layer (InfisicalConnection + InfisicalAuth)
Phase 2: GitOps-managed shared auth layer in infisical-operator ns — InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth (kubernetes method, operator SA via TokenReview) + identity-ID Secret (non-secret UUID; auth is via SA token, so safe in git). To be referenced cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,18 @@
|
||||
apiVersion: secrets.infisical.com/v1beta1
|
||||
kind: InfisicalAuth
|
||||
metadata:
|
||||
name: infisical-auth
|
||||
namespace: infisical-operator
|
||||
spec:
|
||||
infisicalConnectionRef:
|
||||
name: infisical-connection
|
||||
namespace: infisical-operator
|
||||
method: kubernetes
|
||||
kubernetes:
|
||||
identityIdRef:
|
||||
name: infisical-machine-identity
|
||||
namespace: infisical-operator
|
||||
key: identityId
|
||||
serviceAccountRef:
|
||||
name: infisical-opera-controller-manager # operator's own SA = the allow-listed identity
|
||||
namespace: infisical-operator
|
||||
@@ -0,0 +1,7 @@
|
||||
apiVersion: secrets.infisical.com/v1beta1
|
||||
kind: InfisicalConnection
|
||||
metadata:
|
||||
name: infisical-connection
|
||||
namespace: infisical-operator
|
||||
spec:
|
||||
address: https://infisical.chemavx.xyz # bare host, no /api (operator appends it)
|
||||
@@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: infisical-machine-identity
|
||||
namespace: infisical-operator
|
||||
type: Opaque
|
||||
stringData:
|
||||
# Non-secret UUID for machine identity "k8s-operator". Required as a secretRef
|
||||
# by the InfisicalAuth schema; auth happens via the operator's SA token (TokenReview),
|
||||
# so this value grants nothing on its own. Safe to commit.
|
||||
identityId: "42c12566-1058-4674-a5f5-0cc1bc0ea4e7"
|
||||
Reference in New Issue
Block a user