Phase 2: GitOps-managed shared auth layer in infisical-operator ns — InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth (kubernetes method, operator SA via TokenReview) + identity-ID Secret (non-secret UUID; auth is via SA token, so safe in git). To be referenced cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
19 lines
531 B
YAML
19 lines
531 B
YAML
apiVersion: secrets.infisical.com/v1beta1
|
|
kind: InfisicalAuth
|
|
metadata:
|
|
name: infisical-auth
|
|
namespace: infisical-operator
|
|
spec:
|
|
infisicalConnectionRef:
|
|
name: infisical-connection
|
|
namespace: infisical-operator
|
|
method: kubernetes
|
|
kubernetes:
|
|
identityIdRef:
|
|
name: infisical-machine-identity
|
|
namespace: infisical-operator
|
|
key: identityId
|
|
serviceAccountRef:
|
|
name: infisical-opera-controller-manager # operator's own SA = the allow-listed identity
|
|
namespace: infisical-operator
|