Add shared Infisical auth layer (InfisicalConnection + InfisicalAuth)
Phase 2: GitOps-managed shared auth layer in infisical-operator ns — InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth (kubernetes method, operator SA via TokenReview) + identity-ID Secret (non-secret UUID; auth is via SA token, so safe in git). To be referenced cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,18 @@
|
||||
apiVersion: secrets.infisical.com/v1beta1
|
||||
kind: InfisicalAuth
|
||||
metadata:
|
||||
name: infisical-auth
|
||||
namespace: infisical-operator
|
||||
spec:
|
||||
infisicalConnectionRef:
|
||||
name: infisical-connection
|
||||
namespace: infisical-operator
|
||||
method: kubernetes
|
||||
kubernetes:
|
||||
identityIdRef:
|
||||
name: infisical-machine-identity
|
||||
namespace: infisical-operator
|
||||
key: identityId
|
||||
serviceAccountRef:
|
||||
name: infisical-opera-controller-manager # operator's own SA = the allow-listed identity
|
||||
namespace: infisical-operator
|
||||
Reference in New Issue
Block a user