Add Infisical token-reviewer RBAC for Kubernetes Auth
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to system:auth-delegator (TokenReview), explicit long-lived SA token Secret (k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't strip the controller-populated token. Token value never committed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,25 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: infisical-operator-rbac
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: infisical-operator
|
||||
server: https://kubernetes.default.svc
|
||||
project: default
|
||||
source:
|
||||
path: infisical-operator-rbac
|
||||
repoURL: https://git.chemavx.xyz/chemavx/k8s-manifests
|
||||
targetRevision: main
|
||||
ignoreDifferences:
|
||||
# token controller injects .data into the Secret; don't let selfHeal wipe it
|
||||
- group: ""
|
||||
kind: Secret
|
||||
name: infisical-token-reviewer
|
||||
jsonPointers:
|
||||
- /data
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
Reference in New Issue
Block a user