Files
k8s-manifests/infisical-operator-rbac/secret-token-reviewer.yaml
chemavxandClaude Opus 4.8 5f6b491ed3 Add Infisical token-reviewer RBAC for Kubernetes Auth
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 16:05:59 +00:00

11 lines
392 B
YAML

apiVersion: v1
kind: Secret
metadata:
name: infisical-token-reviewer
namespace: infisical-operator
annotations:
kubernetes.io/service-account.name: infisical-token-reviewer
type: kubernetes.io/service-account-token
# .data is populated by the cluster token controller — never committed to git.
# ArgoCD ignores /data on this Secret (see application-infisical-operator-rbac.yaml).