|
|
|
|
@@ -156,157 +156,420 @@ spec:
|
|
|
|
|
<Accordion title="authentication.kubernetesAuth">
|
|
|
|
|
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
|
|
|
|
|
|
|
|
|
|
<Steps>
|
|
|
|
|
<Step title="Obtaining the token reviewer JWT for Infisical">
|
|
|
|
|
1.1. Start by creating a service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.
|
|
|
|
|
<Tabs>
|
|
|
|
|
<Tab title="Short-lived service account tokens (Recommended)">
|
|
|
|
|
Short-lived service account tokens are automatically created by the operator and are valid only for a short period of time. This is the recommended approach for using Kubernetes auth in the Infisical Secrets Operator.
|
|
|
|
|
|
|
|
|
|
```yaml infisical-service-account.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-auth
|
|
|
|
|
namespace: default
|
|
|
|
|
<Steps>
|
|
|
|
|
<Step title="Obtaining the token reviewer JWT for Infisical">
|
|
|
|
|
**1.1.** Start by creating a reviewer service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
```yaml infisical-reviewer-service-account.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-token-reviewer
|
|
|
|
|
namespace: default
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
kubectl apply -f infisical-service-account.yaml
|
|
|
|
|
```
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1.2. Bind the service account to the `system:auth-delegator` cluster role. As described [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles), this role allows delegated authentication and authorization checks, specifically for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). You can apply the following configuration file:
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-reviewer-service-account.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```yaml cluster-role-binding.yaml
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
metadata:
|
|
|
|
|
name: role-tokenreview-binding
|
|
|
|
|
namespace: default
|
|
|
|
|
roleRef:
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: system:auth-delegator
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
|
|
|
|
name: infisical-auth
|
|
|
|
|
namespace: default
|
|
|
|
|
```
|
|
|
|
|
**1.2.** Bind the reviewer service account to the `system:auth-delegator` cluster role. As described [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles), this role allows delegated authentication and authorization checks, specifically for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). You can apply the following configuration file:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
kubectl apply -f cluster-role-binding.yaml
|
|
|
|
|
```
|
|
|
|
|
```yaml infisical-reviewer-cluster-role-binding.yaml
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-token-reviewer-role-binding
|
|
|
|
|
namespace: default
|
|
|
|
|
roleRef:
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: system:auth-delegator
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
|
|
|
|
name: infisical-token-reviewer
|
|
|
|
|
namespace: default
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new `Secret` resource:
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-reviewer-cluster-role-binding.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```yaml service-account-token.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
type: kubernetes.io/service-account-token
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-auth-token
|
|
|
|
|
annotations:
|
|
|
|
|
kubernetes.io/service-account.name: "infisical-auth"
|
|
|
|
|
```
|
|
|
|
|
**1.3.** Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new `Secret` resource:
|
|
|
|
|
|
|
|
|
|
```yaml service-account-reviewer-token.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
type: kubernetes.io/service-account-token
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-token-reviewer-token
|
|
|
|
|
annotations:
|
|
|
|
|
kubernetes.io/service-account.name: "infisical-token-reviewer"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
kubectl apply -f service-account-token.yaml
|
|
|
|
|
```
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f service-account-reviewer-token.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1.4. Link the secret in step 1.3 to the service account in step 1.1:
|
|
|
|
|
**1.4.** Link the secret in step 1.3 to the service account in step 1.1:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl patch serviceaccount infisical-auth -p '{"secrets": [{"name": "infisical-auth-token"}]}' -n default
|
|
|
|
|
```
|
|
|
|
|
```bash
|
|
|
|
|
kubectl patch serviceaccount infisical-token-reviewer -p '{"secrets": [{"name": "infisical-token-reviewer-token"}]}' -n default
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1.5. Finally, retrieve the token reviewer JWT token from the secret.
|
|
|
|
|
**1.5.** Finally, retrieve the token reviewer JWT token from the secret.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl get secret infisical-auth-token -n default -o=jsonpath='{.data.token}' | base64 --decode
|
|
|
|
|
```
|
|
|
|
|
```bash
|
|
|
|
|
kubectl get secret infisical-token-reviewer-token -n default -o=jsonpath='{.data.token}' | base64 --decode
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Keep this JWT token handy as you will need it for the **Token Reviewer JWT** field when configuring the Kubernetes Auth authentication method for the identity in step 2.
|
|
|
|
|
Keep this JWT token handy as you will need it for the **Token Reviewer JWT** field when configuring the Kubernetes Auth authentication method for the identity in step 2.
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Creating an identity">
|
|
|
|
|
To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
|
|
|
|
|
|
|
|
|
|
<Step title="Creating an identity">
|
|
|
|
|
To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
|
|
|
|
|
|
|
|
|
|
When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now input a few details for your new identity. Here's some guidance for each field:
|
|
|
|
|
|
|
|
|
|
Now input a few details for your new identity. Here's some guidance for each field:
|
|
|
|
|
- Name (required): A friendly name for the identity.
|
|
|
|
|
- Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
|
|
|
|
|
|
|
|
|
|
- Name (required): A friendly name for the identity.
|
|
|
|
|
- Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
|
|
|
|
|
Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **Kubernetes Auth**.
|
|
|
|
|
|
|
|
|
|
Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **Kubernetes Auth**.
|
|
|
|
|
<Info>
|
|
|
|
|
To learn more about each field of the Kubernetes native authentication method, see step 2 of [guide](/documentation/platform/identities/kubernetes-auth#guide).
|
|
|
|
|
</Info>
|
|
|
|
|
|
|
|
|
|
<Info>
|
|
|
|
|
To learn more about each field of the Kubernetes native authentication method, see step 2 of [guide](/documentation/platform/identities/kubernetes-auth#guide).
|
|
|
|
|
</Info>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Adding an identity to a project">
|
|
|
|
|
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Adding an identity to a project">
|
|
|
|
|
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.
|
|
|
|
|
|
|
|
|
|
To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
|
|
|
|
|
To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
|
|
|
|
|
|
|
|
|
|
Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
|
|
|
|
|
Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Add your identity ID & service account to your InfisicalSecret resource">
|
|
|
|
|
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource.
|
|
|
|
|
In the `authentication.kubernetesAuth.identityId` field, add the identity ID of the machine identity you created.
|
|
|
|
|
See the example below for more details.
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Add your Kubernetes service account token to the InfisicalSecret resource">
|
|
|
|
|
Add the service account details from the previous steps under `authentication.kubernetesAuth.serviceAccountRef`.
|
|
|
|
|
Here you will need to enter the name and namespace of the service account.
|
|
|
|
|
The example below shows a complete InfisicalSecret resource with all required fields defined.
|
|
|
|
|
</Step>
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
</Steps>
|
|
|
|
|
<Step title="Create a new Kubernetes service account to authenticate with Infisical">
|
|
|
|
|
You have already created the reviewer service account in step **1.1**. Now, create a new Kubernetes service account that will be used to authenticate with Infisical.
|
|
|
|
|
This service account will create short-lived tokens that will be used to authenticate with Infisical. The operator itself will handle the creation of these tokens automatically.
|
|
|
|
|
|
|
|
|
|
<Info>
|
|
|
|
|
Make sure to also populate the `secretsScope` field with the project slug
|
|
|
|
|
_`projectSlug`_, environment slug _`envSlug`_, and secrets path
|
|
|
|
|
_`secretsPath`_ that you want to fetch secrets from. Please see the example
|
|
|
|
|
below.
|
|
|
|
|
</Info>
|
|
|
|
|
```yaml infisical-service-account.yaml
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-service-account
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Example
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-service-account.yaml -n default
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```yaml example-kubernetes-auth.yaml
|
|
|
|
|
apiVersion: secrets.infisical.com/v1alpha1
|
|
|
|
|
kind: InfisicalSecret
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisicalsecret-sample-crd
|
|
|
|
|
spec:
|
|
|
|
|
authentication:
|
|
|
|
|
kubernetesAuth:
|
|
|
|
|
identityId: <machine-identity-id>
|
|
|
|
|
serviceAccountRef:
|
|
|
|
|
name: <service-account-name>
|
|
|
|
|
namespace: <service-account-namespace>
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
|
|
|
secretsScope:
|
|
|
|
|
projectSlug: your-project-slug
|
|
|
|
|
envSlug: prod
|
|
|
|
|
secretsPath: "/path"
|
|
|
|
|
recursive: true
|
|
|
|
|
...
|
|
|
|
|
```
|
|
|
|
|
<Step title="Add your identity ID & service account to your InfisicalSecret resource">
|
|
|
|
|
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource.
|
|
|
|
|
In the `authentication.kubernetesAuth.identityId` field, add the identity ID of the machine identity you created.
|
|
|
|
|
See the example below for more details.
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Add your Kubernetes service account token to the InfisicalSecret resource">
|
|
|
|
|
Add the service account details from the previous steps under `authentication.kubernetesAuth.serviceAccountRef`.
|
|
|
|
|
Here you will need to enter the name and namespace of the service account.
|
|
|
|
|
The example below shows a complete InfisicalSecret resource with all required fields defined.
|
|
|
|
|
Make sure you set `authentication.kubernetesAuth.autoCreateServiceAccountToken` to `true` to automatically create short-lived service account tokens for the service account.
|
|
|
|
|
</Step>
|
|
|
|
|
</Steps>
|
|
|
|
|
|
|
|
|
|
<Info>
|
|
|
|
|
Make sure to also populate the `secretsScope` field with the project slug
|
|
|
|
|
_`projectSlug`_, environment slug _`envSlug`_, and secrets path
|
|
|
|
|
_`secretsPath`_ that you want to fetch secrets from. Please see the example
|
|
|
|
|
below.
|
|
|
|
|
</Info>
|
|
|
|
|
|
|
|
|
|
## Example
|
|
|
|
|
|
|
|
|
|
```yaml example-kubernetes-auth.yaml
|
|
|
|
|
apiVersion: secrets.infisical.com/v1alpha1
|
|
|
|
|
kind: InfisicalSecret
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisicalsecret-sample-crd
|
|
|
|
|
spec:
|
|
|
|
|
authentication:
|
|
|
|
|
kubernetesAuth:
|
|
|
|
|
identityId: <machine-identity-id>
|
|
|
|
|
autoCreateServiceAccountToken: true # Automatically creates short-lived service account tokens for the service account.
|
|
|
|
|
serviceAccountTokenAudiences:
|
|
|
|
|
- <audience> # Optionally specify audience for the service account token. No audience is specified by default.
|
|
|
|
|
serviceAccountRef:
|
|
|
|
|
name: infisical-service-account # The service account we just created in the previous step.
|
|
|
|
|
namespace: <service-account-namespace>
|
|
|
|
|
|
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
|
|
|
secretsScope:
|
|
|
|
|
projectSlug: your-project-slug
|
|
|
|
|
envSlug: prod
|
|
|
|
|
secretsPath: "/path"
|
|
|
|
|
recursive: true
|
|
|
|
|
...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
</Tab>
|
|
|
|
|
<Tab title="Manual long-lived service account tokens">
|
|
|
|
|
Manual long-lived service account tokens are manually created by the user and are valid indefinitely unless deleted or rotated. In most cases, you should be using the automatic short-lived service account tokens as they are more secure and easier to use.
|
|
|
|
|
<Steps>
|
|
|
|
|
<Step title="Obtaining the token reviewer JWT for Infisical">
|
|
|
|
|
**1.1.** Start by creating a reviewer service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.
|
|
|
|
|
|
|
|
|
|
```yaml infisical-reviewer-service-account.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-token-reviewer
|
|
|
|
|
namespace: default
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-reviewer-service-account.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**1.2.** Bind the reviewer service account to the `system:auth-delegator` cluster role. As described [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles), this role allows delegated authentication and authorization checks, specifically for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). You can apply the following configuration file:
|
|
|
|
|
|
|
|
|
|
```yaml infisical-reviewer-cluster-role-binding.yaml
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-token-reviewer-role-binding
|
|
|
|
|
namespace: default
|
|
|
|
|
roleRef:
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: system:auth-delegator
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
|
|
|
|
name: infisical-token-reviewer
|
|
|
|
|
namespace: default
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-reviewer-cluster-role-binding.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**1.3.** Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new `Secret` resource:
|
|
|
|
|
|
|
|
|
|
```yaml service-account-reviewer-token.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
type: kubernetes.io/service-account-token
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-token-reviewer-token
|
|
|
|
|
annotations:
|
|
|
|
|
kubernetes.io/service-account.name: "infisical-token-reviewer"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f service-account-reviewer-token.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**1.4.** Link the secret in step 1.3 to the service account in step 1.1:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl patch serviceaccount infisical-token-reviewer -p '{"secrets": [{"name": "infisical-token-reviewer-token"}]}' -n default
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**1.5.** Finally, retrieve the token reviewer JWT token from the secret.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl get secret infisical-token-reviewer-token -n default -o=jsonpath='{.data.token}' | base64 --decode
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Keep this JWT token handy as you will need it for the **Token Reviewer JWT** field when configuring the Kubernetes Auth authentication method for the identity in step 2.
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
<Step title="Creating an identity">
|
|
|
|
|
To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now input a few details for your new identity. Here's some guidance for each field:
|
|
|
|
|
|
|
|
|
|
- Name (required): A friendly name for the identity.
|
|
|
|
|
- Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
|
|
|
|
|
|
|
|
|
|
Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **Kubernetes Auth**.
|
|
|
|
|
|
|
|
|
|
<Info>
|
|
|
|
|
To learn more about each field of the Kubernetes native authentication method, see step 2 of [guide](/documentation/platform/identities/kubernetes-auth#guide).
|
|
|
|
|
</Info>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Adding an identity to a project">
|
|
|
|
|
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.
|
|
|
|
|
|
|
|
|
|
To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
|
|
|
|
|
|
|
|
|
|
Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
<Step title="Create a new Kubernetes service account to authenticate with Infisical">
|
|
|
|
|
You have already created the reviewer service account in step **1.1**. Now, create a new Kubernetes service account that will be used to authenticate with Infisical.
|
|
|
|
|
|
|
|
|
|
```yaml infisical-service-account.yaml
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-service-account
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-service-account.yaml -n default
|
|
|
|
|
```
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
<Step title="Create a service account token for the Kubernetes service account">
|
|
|
|
|
Create a service account token for the newly created Kubernetes service account from the previous step.
|
|
|
|
|
|
|
|
|
|
```yaml infisical-service-account-token.yaml
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
type: kubernetes.io/service-account-token
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisical-service-account-token
|
|
|
|
|
annotations:
|
|
|
|
|
kubernetes.io/service-account.name: "infisical-service-account"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl apply -f infisical-service-account-token.yaml -n default
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Patch the service account with the newly created service account token.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
kubectl patch serviceaccount infisical-service-account -p '{"secrets": [{"name": "infisical-service-account-token"}]}' -n default
|
|
|
|
|
```
|
|
|
|
|
</Step>
|
|
|
|
|
|
|
|
|
|
<Step title="Add your identity ID & service account to your InfisicalSecret resource">
|
|
|
|
|
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource.
|
|
|
|
|
In the `authentication.kubernetesAuth.identityId` field, add the identity ID of the machine identity you created.
|
|
|
|
|
See the example below for more details.
|
|
|
|
|
</Step>
|
|
|
|
|
<Step title="Add your Kubernetes service account token to the InfisicalSecret resource">
|
|
|
|
|
Add the service account details from the previous steps under `authentication.kubernetesAuth.serviceAccountRef`.
|
|
|
|
|
Here you will need to enter the name and namespace of the service account.
|
|
|
|
|
The example below shows a complete InfisicalSecret resource with all required fields defined.
|
|
|
|
|
</Step>
|
|
|
|
|
</Steps>
|
|
|
|
|
|
|
|
|
|
<Info>
|
|
|
|
|
Make sure to also populate the `secretsScope` field with the project slug
|
|
|
|
|
_`projectSlug`_, environment slug _`envSlug`_, and secrets path
|
|
|
|
|
_`secretsPath`_ that you want to fetch secrets from. Please see the example
|
|
|
|
|
below.
|
|
|
|
|
</Info>
|
|
|
|
|
|
|
|
|
|
## Example
|
|
|
|
|
|
|
|
|
|
```yaml example-kubernetes-auth.yaml
|
|
|
|
|
apiVersion: secrets.infisical.com/v1alpha1
|
|
|
|
|
kind: InfisicalSecret
|
|
|
|
|
metadata:
|
|
|
|
|
name: infisicalsecret-sample-crd
|
|
|
|
|
spec:
|
|
|
|
|
authentication:
|
|
|
|
|
kubernetesAuth:
|
|
|
|
|
identityId: <machine-identity-id>
|
|
|
|
|
serviceAccountRef:
|
|
|
|
|
name: infisical-service-account # The service account we just created in the previous step. (*not* the reviewer service account)
|
|
|
|
|
namespace: <service-account-namespace>
|
|
|
|
|
|
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
|
|
|
secretsScope:
|
|
|
|
|
projectSlug: your-project-slug
|
|
|
|
|
envSlug: prod
|
|
|
|
|
secretsPath: "/path"
|
|
|
|
|
recursive: true
|
|
|
|
|
...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</Tab>
|
|
|
|
|
</Tabs>
|
|
|
|
|
|
|
|
|
|
</Accordion>
|
|
|
|
|
|
|
|
|
|
|
Daniel Hougaard