misc: added helm support for auto bootstrap

2026-01-09 15:38:03 -05:00 · 2025-06-19 02:12:08 +08:00
parent 2b8220a71b
commit 3276853427
5 changed files with 201 additions and 1 deletions
--- a/helm-charts/infisical-standalone-postgres/templates/bootstrap-job.yaml
+++ b/helm-charts/infisical-standalone-postgres/templates/bootstrap-job.yaml
@@ -0,0 +1,57 @@
+{{- $infisicalValues := .Values.infisical }}
+{{- if $infisicalValues.autoBootstrap.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-bootstrap-{{ .Release.Revision }}"
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": before-hook-creation
+  labels:
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      name: "{{ .Release.Name }}-bootstrap"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      serviceAccountName: {{ include "infisical.serviceAccountName" . }}
+    {{- if $infisicalValues.image.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml $infisicalValues.image.imagePullSecrets | nindent 6 }}
+    {{- end }}
+      restartPolicy: OnFailure
+      initContainers:
+      - name: wait-for-infisical
+        image: curlimages/curl:8.14.1
+        command: ['sh', '-c']
+        args:
+        - |
+          echo "Waiting for Infisical to be ready..."
+          until curl -f http://{{ include "infisical.fullname" . }}:8080/api/status; do
+            echo "Infisical not ready yet, retrying in 10 seconds..."
+            sleep 10
+          done
+          echo "Infisical is ready! Proceeding with bootstrap..."
+      containers:
+        - name: infisical-bootstrap
+          image: "infisical/cli:{{ $infisicalValues.image.tag }}"
+          imagePullPolicy: {{ $infisicalValues.image.pullPolicy | default "IfNotPresent" }}
+          args:
+            - bootstrap
+            - --domain=http://{{ include "infisical.fullname" . }}:8080
+            - --output=k8-secret
+            - --k8-secret-name={{ $infisicalValues.autoBootstrap.secretDestination.name }}
+            - --k8-secret-namespace={{ $infisicalValues.autoBootstrap.secretDestination.namespace | default .Release.Namespace }}
+            - --organization={{ $infisicalValues.autoBootstrap.organization }}
+            - --k8-secret-template={{ $infisicalValues.autoBootstrap.secretTemplate }}
+            - --ignore-if-bootstrapped=true
+          envFrom:
+            - secretRef:
+                name: {{ $infisicalValues.autoBootstrap.credentialSecret.name }}
+{{- end }}
--- a/helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml
+++ b/helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml
@@ -39,4 +39,34 @@ subjects:
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: {{ include "infisical.roleName" . }}
+  name: {{ include "infisical.roleName" . }}
+---
+{{- if .Values.infisical.autoBootstrap.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "infisical.roleName" . }}-bootstrap
+  namespace: {{ .Values.infisical.autoBootstrap.secretDestination.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "infisical.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "infisical.roleBindingName" . }}-bootstrap
+  namespace: {{ .Values.infisical.autoBootstrap.secretDestination.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "infisical.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "infisical.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "infisical.roleName" . }}-bootstrap
+{{- end }}
--- a/helm-charts/infisical-standalone-postgres/values.yaml
+++ b/helm-charts/infisical-standalone-postgres/values.yaml
@@ -13,6 +13,31 @@ infisical:
  # -- Automatically migrates new database schema when deploying
  autoDatabaseSchemaMigration: true

+  autoBootstrap:
+    # -- Enable auto-bootstrap of the Infisical instance
+    enabled: false
+
+    image:
+      # -- Infisical Infisical CLI image tag version
+      tag: "0.41.86"
+
+    # -- Template for the data/stringData section of the Kubernetes secret. Available functions: b64enc
+    secretTemplate: '{"data":{"token":"{{.Identity.Credentials.Token | b64enc}}"}}'
+
+    secretDestination:
+      # -- Name of the bootstrap secret to create in the Kubernetes cluster which will store the formatted root identity credentials
+      name: "infisical-bootstrap-secret"
+
+      # -- Namespace to create the bootstrap secret in. If not provided, the secret will be created in the same namespace as the release.
+      namespace: "default"
+
+    # -- Infisical organization to create in the Infisical instance during auto-bootstrap
+    organization: "default-org"
+
+    credentialSecret:
+      # -- Name of the Kubernetes secret containing the credentials for the auto-bootstrap workflow
+      name: "infisical-bootstrap-credentials"
+
  databaseSchemaMigrationJob:
    image:
      # -- Image repository for migration wait job