diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index a82f8ae340..2de271180b 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -6,7 +6,7 @@ services: image: nginx restart: "always" ports: - - 8085:80 + - 8080:80 - 8443:443 volumes: - ./nginx/default.dev.conf:/etc/nginx/conf.d/default.conf:ro @@ -35,16 +35,16 @@ services: volumes: - redis_data:/data - # redis-commander: - # container_name: infisical-dev-redis-commander - # image: rediscommander/redis-commander - # restart: always - # depends_on: - # - redis - # environment: - # - REDIS_HOSTS=local:redis:6379 - # ports: - # - "8085:8081" + redis-commander: + container_name: infisical-dev-redis-commander + image: rediscommander/redis-commander + restart: always + depends_on: + - redis + environment: + - REDIS_HOSTS=local:redis:6379 + ports: + - "8085:8081" db-test: profiles: ["test"] @@ -129,18 +129,18 @@ services: - ./frontend/public:/app/public env_file: .env - # pgadmin: - # image: dpage/pgadmin4 - # restart: always - # volumes: - # - ./servers.json:/pgadmin4/servers.json - # environment: - # PGADMIN_DEFAULT_EMAIL: admin@example.com - # PGADMIN_DEFAULT_PASSWORD: pass - # ports: - # - 5050:80 - # depends_on: - # - db + pgadmin: + image: dpage/pgadmin4 + restart: always + volumes: + - ./servers.json:/pgadmin4/servers.json + environment: + PGADMIN_DEFAULT_EMAIL: admin@example.com + PGADMIN_DEFAULT_PASSWORD: pass + ports: + - 5050:80 + depends_on: + - db smtp-server: container_name: infisical-dev-smtp-server @@ -197,4 +197,4 @@ volumes: driver: local ldap_data: ldap_config: - grafana_storage: + grafana_storage: \ No newline at end of file diff --git a/k8-operator/api/v1alpha1/infisicalsecret_types.go b/k8-operator/api/v1alpha1/infisicalsecret_types.go index 0e34c76cd5..e2e0c7b665 100644 --- a/k8-operator/api/v1alpha1/infisicalsecret_types.go +++ b/k8-operator/api/v1alpha1/infisicalsecret_types.go @@ -161,7 +161,7 @@ type InfisicalSecretSpec struct { // +kubebuilder:validation:Optional TLS TLSConfig `json:"tls"` - // +kubebuilder:default:=true + // +kubebuilder:default:=false InstantUpdates bool `json:"instantUpdates"` } diff --git a/k8-operator/config/samples/crd/infisicalsecret/infisicalSecretCrd.yaml b/k8-operator/config/samples/crd/infisicalsecret/infisicalSecretCrd.yaml index 69399321c1..6ea6dc5611 100644 --- a/k8-operator/config/samples/crd/infisicalsecret/infisicalSecretCrd.yaml +++ b/k8-operator/config/samples/crd/infisicalsecret/infisicalSecretCrd.yaml @@ -7,39 +7,100 @@ metadata: annotations: example.com/annotation-to-be-passed-to-managed-secret: "sample-value" spec: - hostAPI: http://localhost:8085/api + hostAPI: http://localhost:8080/api resyncInterval: 10 - instantUpdates: true + instantUpdates: false # tls: # caRef: # secretName: custom-ca-certificate # secretNamespace: default # key: ca.crt authentication: - # Make sure to only have 1 authentication method defined, serviceToken/universalAuth. - # If you have multiple authentication methods defined, it may cause issues. - - # (Deprecated) Service Token Auth - # serviceToken: - # serviceTokenSecretReference: - # secretName: service-token - # secretNamespace: default - # secretsScope: - # envSlug: - # secretsPath: - # recursive: true - # Universal Auth universalAuth: secretsScope: - projectSlug: test-j7-kx + projectSlug: hello-9zkr envSlug: dev # "dev", "staging", "prod", etc.. secretsPath: "/" # Root is "/" - recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false + recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false credentialsRef: secretName: universal-auth-credentials secretNamespace: default + # Native Kubernetes Auth + kubernetesAuth: + serviceAccountRef: + name: + namespace: + identityId: + serviceAccountTokenPath: "/path/to/your/service-account/token" # Optional, defaults to /var/run/secrets/kubernetes.io/serviceaccount/token + + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: your-project-slug + envSlug: prod + secretsPath: "/path" + recursive: true + + # AWS IAM Auth + awsIamAuth: + identityId: + + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: your-project-slug + envSlug: prod + secretsPath: "/path" + recursive: true + + ldapAuth: + identityId: + credentialsRef: + secretName: # ldap-auth-credentials + secretNamespace: # default + + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: your-project-slug + envSlug: prod + secretsPath: "/path" + recursive: true + + # Azure Auth + azureAuth: + identityId: + resource: https://management.azure.com/&client_id=your_client_id # This field is optional, and will default to "https://management.azure.com/" if nothing is provided. + + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: your-project-slug + envSlug: prod + secretsPath: "/path" + recursive: true + + # GCP ID Token Auth + gcpIdTokenAuth: + identityId: + + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: your-project-slug + envSlug: prod + secretsPath: "/path" + recursive: true + + # GCP IAM Auth + gcpIamAuth: + identityId: + serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json" + + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: your-project-slug + envSlug: prod + secretsPath: "/path" + recursive: true + managedKubeSecretReferences: - secretName: managed-secret secretNamespace: default diff --git a/k8-operator/config/samples/k8s-auth/sample.yaml b/k8-operator/config/samples/k8s-auth/sample.yaml index 31f1be5b60..91f910aff5 100644 --- a/k8-operator/config/samples/k8s-auth/sample.yaml +++ b/k8-operator/config/samples/k8s-auth/sample.yaml @@ -1,28 +1,32 @@ apiVersion: secrets.infisical.com/v1alpha1 kind: InfisicalSecret metadata: - name: infisicalsecret-sample - labels: - label-to-be-passed-to-managed-secret: sample-value - annotations: - example.com/annotation-to-be-passed-to-managed-secret: "sample-value" + name: infisicalsecret-sample + labels: + label-to-be-passed-to-managed-secret: sample-value + annotations: + example.com/annotation-to-be-passed-to-managed-secret: "sample-value" spec: - hostAPI: http://localhost:8085/api - resyncInterval: 10 - authentication: - # Universal Auth - universalAuth: - secretsScope: - projectSlug: test-j7-kx - envSlug: dev # "dev", "staging", "prod", etc.. - secretsPath: "/" # Root is "/" - recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false - credentialsRef: - secretName: universal-auth-credentials - secretNamespace: default + hostAPI: https://app.infisical.com/api + resyncInterval: 10 + authentication: + # Native Kubernetes Auth + kubernetesAuth: + identityId: <> + serviceAccountRef: + name: infisical-auth + namespace: default - managedSecretReference: - secretName: managed-secret-k8s - secretNamespace: default - creationPolicy: "Orphan" ## Owner | Orphan - # secretType: kubernetes.io/dockerconfigjson + # secretsScope is identical to the secrets scope in the universalAuth field in this sample. + secretsScope: + projectSlug: dsf-gpb-t + envSlug: dev + secretsPath: "/" + recursive: true + + + managedSecretReference: + secretName: managed-secret-k8s + secretNamespace: default + creationPolicy: "Orphan" ## Owner | Orphan + # secretType: kubernetes.io/dockerconfigjson \ No newline at end of file diff --git a/k8-operator/config/samples/universalAuthIdentitySecret.yaml b/k8-operator/config/samples/universalAuthIdentitySecret.yaml index 723c62a701..741de34ee8 100644 --- a/k8-operator/config/samples/universalAuthIdentitySecret.yaml +++ b/k8-operator/config/samples/universalAuthIdentitySecret.yaml @@ -4,5 +4,5 @@ metadata: name: universal-auth-credentials type: Opaque stringData: - clientId: your-client-id-here - clientSecret: your-client-secret-here + clientId: your-client-id-here + clientSecret: your-client-secret-here \ No newline at end of file diff --git a/k8-operator/internal/api/models.go b/k8-operator/internal/api/models.go index 870c8d4523..49e1a8c8ce 100644 --- a/k8-operator/internal/api/models.go +++ b/k8-operator/internal/api/models.go @@ -207,19 +207,19 @@ type GetProjectByIDResponse struct { Project model.Project `json:"workspace"` } -type SubProjectEventsRequestRegister struct { - Event string `json:"event"` - Conditions *SubProjectEventsRequestCondition `json:"conditions"` +type SubscribeProjectEventsRequestRegister struct { + Event string `json:"event"` + Conditions *SubscribeProjectEventsRequestCondition `json:"conditions"` } -type SubProjectEventsRequestCondition struct { +type SubscribeProjectEventsRequestCondition struct { EnvironmentSlug string `json:"environmentSlug"` SecretPath string `json:"secretPath"` } -type SubProjectEventsRequest struct { - ProjectID string `json:"projectId"` - Register []SubProjectEventsRequestRegister `json:"register"` +type SubscribeProjectEventsRequest struct { + ProjectID string `json:"projectId"` + Register []SubscribeProjectEventsRequestRegister `json:"register"` } -type SubProjectEventsResponse struct{} +type SubscribeProjectEventsResponse struct{} diff --git a/k8-operator/internal/controller/infisicalsecret_controller.go b/k8-operator/internal/controller/infisicalsecret_controller.go index 7154cd0f34..7a6b3497e7 100644 --- a/k8-operator/internal/controller/infisicalsecret_controller.go +++ b/k8-operator/internal/controller/infisicalsecret_controller.go @@ -79,8 +79,6 @@ func (r *InfisicalSecretReconciler) GetLogger(req ctrl.Request) logr.Logger { func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { logger := r.GetLogger(req) - logger.Info("Reconcile called") - var infisicalSecretCRD secretsv1alpha1.InfisicalSecret requeueTime := time.Minute // seconds diff --git a/k8-operator/internal/services/infisicalsecret/reconciler.go b/k8-operator/internal/services/infisicalsecret/reconciler.go index 060677926b..6382f9dc73 100644 --- a/k8-operator/internal/services/infisicalsecret/reconciler.go +++ b/k8-operator/internal/services/infisicalsecret/reconciler.go @@ -567,7 +567,7 @@ func (r *InfisicalSecretReconciler) OpenInstantUpdatesStream(ctx context.Context envSlug := variables.AuthDetails.MachineIdentityScope.EnvSlug infiscalClient := variables.InfisicalClient - conn := variables.ServerSentEvents + sseRegistry := variables.ServerSentEvents token := infiscalClient.Auth().GetAccessToken() @@ -581,14 +581,14 @@ func (r *InfisicalSecretReconciler) OpenInstantUpdatesStream(ctx context.Context secretsPath = fmt.Sprint(secretsPath, "**") } - conditions := &api.SubProjectEventsRequestCondition{ + conditions := &api.SubscribeProjectEventsRequestCondition{ SecretPath: secretsPath, EnvironmentSlug: envSlug, } - body, err := json.Marshal(api.SubProjectEventsRequest{ + body, err := json.Marshal(api.SubscribeProjectEventsRequest{ ProjectID: project.ID, - Register: []api.SubProjectEventsRequestRegister{ + Register: []api.SubscribeProjectEventsRequestRegister{ { Event: "secret:create", Conditions: conditions, @@ -612,7 +612,7 @@ func (r *InfisicalSecretReconciler) OpenInstantUpdatesStream(ctx context.Context return fmt.Errorf("CallSubscribeProjectEvents: unable to marshal body [err=%s]", err) } - events, errors, err := conn.Subscribe(func() (*http.Request, error) { + events, errors, err := sseRegistry.Subscribe(func() (*http.Request, error) { headers := map[string]string{ "User-Agent": api.USER_AGENT_NAME, "Authorization": fmt.Sprint("Bearer ", token),