|
|
@@ -4469,6 +4469,17 @@
|
|
|
<nav class="md-nav" aria-label="Fetching Secrets">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#key-resolution-for-remoterefkey" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Key resolution for remoteRef.key
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#fetch-individual-secrets" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
@@ -4555,6 +4566,17 @@
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#validation-and-auth-method-precedence" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Validation and Auth Method Precedence
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
|
@@ -6018,6 +6040,17 @@
|
|
|
<nav class="md-nav" aria-label="Fetching Secrets">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#key-resolution-for-remoterefkey" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Key resolution for remoteRef.key
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#fetch-individual-secrets" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
@@ -6104,6 +6137,17 @@
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#validation-and-auth-method-precedence" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Validation and Auth Method Precedence
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
|
@@ -6130,6 +6174,9 @@
|
|
|
|
|
|
<p><img alt="Infisical k8s Diagram" src="../../pictures/external-secrets-operator.png" /></p>
|
|
|
<p>Sync secrets from <a href="https://www.infisical.com">Infisical</a> to your Kubernetes cluster using External Secrets Operator.</p>
|
|
|
+<blockquote>
|
|
|
+<p><strong>Note</strong>: The Infisical provider is read-only. PushSecret is not supported.</p>
|
|
|
+</blockquote>
|
|
|
<h2 id="authentication">Authentication</h2>
|
|
|
<p>In order for the operator to fetch secrets from Infisical, it needs to first authenticate with Infisical using a <a href="https://infisical.com/docs/documentation/platform/identities/machine-identities">Machine Identity</a>.</p>
|
|
|
<p>The Infisical provider supports multiple authentication methods to accommodate different deployment environments:</p>
|
|
|
@@ -6226,7 +6273,7 @@
|
|
|
</code></pre></div>
|
|
|
<div class="admonition note">
|
|
|
<p class="admonition-title">Note</p>
|
|
|
-<p>For <code>ClusterSecretStore</code>, be sure to set <code>namespace</code> in <code>universalAuthCredentials.clientId</code> and <code>universalAuthCredentials.clientSecret</code>.</p>
|
|
|
+<p>For <code>ClusterSecretStore</code>, set <code>namespace</code> on <code>universalAuthCredentials.clientId</code> and <code>universalAuthCredentials.clientSecret</code> to the namespace where the credentials Secret resides. For a regular <code>SecretStore</code>, omit <code>namespace</code> -- setting it causes a validation error.</p>
|
|
|
</div>
|
|
|
<hr />
|
|
|
<h2 id="kubernetes-auth">Kubernetes Auth</h2>
|
|
|
@@ -6653,6 +6700,10 @@
|
|
|
<p class="admonition-title">Warning</p>
|
|
|
<p>Token Auth tokens do not automatically renew. When the token expires, you will need to generate a new one and update the Kubernetes secret.</p>
|
|
|
</div>
|
|
|
+<div class="admonition note">
|
|
|
+<p class="admonition-title">Note</p>
|
|
|
+<p>Unlike all other authentication methods, Token Auth does not revoke the access token when the provider client is closed. The token remains valid in Infisical until it expires naturally. Other auth methods (Universal, Kubernetes, AWS, etc.) revoke their machine identity access token on each reconcile cycle.</p>
|
|
|
+</div>
|
|
|
<hr />
|
|
|
<h2 id="fetching-secrets">Fetching Secrets</h2>
|
|
|
<p>For the following examples, it assumes we have a secret structure in an Infisical project with the following structure:</p>
|
|
|
@@ -6664,6 +6715,34 @@
|
|
|
/ADMIN_PASSWORD
|
|
|
</code></pre></div>
|
|
|
<p>Where <code>JSON_BLOB</code> is a JSON string like <code>{"key": "value"}</code>.</p>
|
|
|
+<h3 id="key-resolution-for-remoterefkey">Key resolution for <code>remoteRef.key</code></h3>
|
|
|
+<p>The <code>remoteRef.key</code> field resolves secret location using three rules:</p>
|
|
|
+<table>
|
|
|
+<thead>
|
|
|
+<tr>
|
|
|
+<th>Key format</th>
|
|
|
+<th>Resolution</th>
|
|
|
+</tr>
|
|
|
+</thead>
|
|
|
+<tbody>
|
|
|
+<tr>
|
|
|
+<td><code>FOO</code> (no slash)</td>
|
|
|
+<td>Uses <code>secretsScope.secretsPath</code> as the folder; <code>FOO</code> is the secret name</td>
|
|
|
+</tr>
|
|
|
+<tr>
|
|
|
+<td><code>/my-app/FOO</code> (leading slash)</td>
|
|
|
+<td>Absolute path: folder is <code>/my-app</code>, secret name is <code>FOO</code>. <code>secretsScope.secretsPath</code> is ignored</td>
|
|
|
+</tr>
|
|
|
+<tr>
|
|
|
+<td><code>sub/FOO</code> (slash, no leading <code>/</code>)</td>
|
|
|
+<td>Relative path: <code>sub</code> is joined to <code>secretsScope.secretsPath</code>, <code>FOO</code> is the secret name</td>
|
|
|
+</tr>
|
|
|
+</tbody>
|
|
|
+</table>
|
|
|
+<div class="admonition note">
|
|
|
+<p class="admonition-title">Note</p>
|
|
|
+<p>Both <code>GetSecret</code> (single-secret lookup) and <code>GetAllSecrets</code> (dataFrom) always set <code>IncludeImports: true</code>. Secrets imported from linked Infisical projects are automatically included in results. There is no option to disable this.</p>
|
|
|
+</div>
|
|
|
<h3 id="fetch-individual-secrets">Fetch Individual Secret(s)</h3>
|
|
|
<p>To sync one or more secrets individually, use the following YAML:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
|
|
|
@@ -6717,7 +6796,7 @@
|
|
|
<span class="w"> </span><span class="nt">regexp</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">.*</span>
|
|
|
</code></pre></div>
|
|
|
<h3 id="filtering-secrets">Filtering Secrets</h3>
|
|
|
-<p>To filter secrets by <code>path</code> (path prefix) and <code>name</code> (regular expression):</p>
|
|
|
+<p>Use <code>dataFrom.find</code> to filter secrets by name regex and/or folder path:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
@@ -6732,11 +6811,22 @@
|
|
|
|
|
|
<span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">find</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DB_</span>
|
|
|
+<span class="w"> </span><span class="c1"># Filter by secret name using a regular expression.</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">regexp</span><span class="p">:</span><span class="w"> </span><span class="s">"^DB_.*"</span>
|
|
|
+<span class="w"> </span><span class="c1"># Optionally also restrict to a folder path (must be an absolute path</span>
|
|
|
+<span class="w"> </span><span class="c1"># starting with `/`). Omit to search the entire secretsScope.secretsPath.</span>
|
|
|
+<span class="w"> </span><span class="c1"># path: /my-app</span>
|
|
|
</code></pre></div>
|
|
|
+<p>The following restrictions apply:</p>
|
|
|
+<ul>
|
|
|
+<li><code>find.name.regexp</code> matches against the secret name. At least one of <code>find.name</code> or <code>find.path</code> must be provided.</li>
|
|
|
+<li><code>find.path</code> filters by folder path prefix. The value must be an absolute path starting with <code>/</code> (e.g. <code>/my-app</code>). It is matched against the <code>secretPath</code> field of each secret.</li>
|
|
|
+<li><code>find.tags</code> is <strong>not supported</strong> and returns an error if set.</li>
|
|
|
+</ul>
|
|
|
<hr />
|
|
|
<h2 id="custom-ca-certificates">Custom CA Certificates</h2>
|
|
|
-<p>If you are using a self-hosted Infisical instance with a self-signed certificate or a certificate signed by a private CA, you can configure the provider to trust it.</p>
|
|
|
+<p>If you are using a self-hosted Infisical instance with a self-signed certificate or a certificate signed by a private CA, you can configure the provider to trust it. Set <code>hostAPI</code> to the base URL of your Infisical server (without the <code>/api</code> suffix -- the operator appends it automatically).</p>
|
|
|
<h3 id="using-cabundle-inline">Using caBundle (inline)</h3>
|
|
|
<p>You can provide the CA certificate directly as a base64-encoded PEM bundle:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
|
|
|
@@ -6789,7 +6879,7 @@
|
|
|
</code></pre></div>
|
|
|
<div class="admonition note">
|
|
|
<p class="admonition-title">Note</p>
|
|
|
-<p>For <code>ClusterSecretStore</code>, be sure to set <code>namespace</code> in <code>caProvider</code>.</p>
|
|
|
+<p><code>caBundle</code> and <code>caProvider</code> are mutually exclusive -- set only one. For <code>ClusterSecretStore</code>, <code>caProvider.namespace</code> is required. For a regular <code>SecretStore</code>, <code>caProvider.namespace</code> must be omitted.</p>
|
|
|
</div>
|
|
|
<hr />
|
|
|
<h2 id="secrets-scope-configuration">Secrets Scope Configuration</h2>
|
|
|
@@ -6840,6 +6930,14 @@
|
|
|
<p class="admonition-title">Tip</p>
|
|
|
<p>To get your project slug from Infisical, head over to the project settings and click the button <code>Copy Project Slug</code>.</p>
|
|
|
</div>
|
|
|
+<div class="admonition note">
|
|
|
+<p class="admonition-title">Note</p>
|
|
|
+<p><code>secretsPath</code> is a default scope for secret lookups, not a security boundary. A <code>remoteRef.key</code> that begins with <code>/</code> is always treated as an absolute path and bypasses <code>secretsPath</code> entirely. To enforce that the operator can only access secrets under a specific path, configure Access Controls in Infisical rather than relying on <code>secretsPath</code>.</p>
|
|
|
+</div>
|
|
|
+<hr />
|
|
|
+<h2 id="validation-and-auth-method-precedence">Validation and Auth Method Precedence</h2>
|
|
|
+<p><code>ValidateStore</code> only performs field-level validation for the <code>universalAuthCredentials</code> block. All other authentication methods (Kubernetes, AWS, Azure, GCP, JWT, LDAP, OCI, Token) are not statically validated -- missing required fields are caught at runtime when the provider first attempts to authenticate.</p>
|
|
|
+<p>If multiple authentication blocks are set simultaneously, the provider selects the first one it finds in this order: <code>universalAuthCredentials</code> > <code>azureAuthCredentials</code> > <code>gcpIdTokenAuthCredentials</code> > <code>gcpIamAuthCredentials</code> > <code>jwtAuthCredentials</code> > <code>ldapAuthCredentials</code> > <code>ociAuthCredentials</code> > <code>kubernetesAuthCredentials</code> > <code>awsAuthCredentials</code> > <code>tokenAuthCredentials</code>. Only one auth block should be set per store.</p>
|
|
|
|
|
|
|
|
|
|
Skarlso