Add Infisical token-reviewer RBAC for Kubernetes Auth

Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-18 16:05:59 +00:00
co-authored by Claude Opus 4.8
parent 2c81ab03a7
commit 5f6b491ed3
4 changed files with 52 additions and 0 deletions
@@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infisical-operator-rbac
namespace: argocd
spec:
destination:
namespace: infisical-operator
server: https://kubernetes.default.svc
project: default
source:
path: infisical-operator-rbac
repoURL: https://git.chemavx.xyz/chemavx/k8s-manifests
targetRevision: main
ignoreDifferences:
# token controller injects .data into the Secret; don't let selfHeal wipe it
- group: ""
kind: Secret
name: infisical-token-reviewer
jsonPointers:
- /data
syncPolicy:
automated:
prune: true
selfHeal: true