fix: gateway improvements

2026-01-09 15:38:03 -05:00 · 2025-10-24 15:53:38 +04:00
parent 4c173bfb3a
commit bcb0e8e705
5 changed files with 23 additions and 2 deletions
--- a/backend/src/lib/gateway-v2/gateway-v2.ts
+++ b/backend/src/lib/gateway-v2/gateway-v2.ts
@@ -7,6 +7,7 @@ import https from "https";
 import { verifyHostInputValidity } from "@app/ee/services/dynamic-secret/dynamic-secret-fns";
 import { splitPemChain } from "@app/services/certificate/certificate-fns";

+import { getConfig } from "../config/env";
 import { BadRequestError } from "../errors";
 import { GatewayProxyProtocol } from "../gateway/types";
 import { logger } from "../logger";
@@ -80,6 +81,8 @@ const createGatewayConnection = async (
  gateway: { clientCertificate: string; clientPrivateKey: string; serverCertificateChain: string },
  protocol: GatewayProxyProtocol
 ): Promise<net.Socket> => {
+  const appCfg = getConfig();
+
  const protocolToAlpn = {
    [GatewayProxyProtocol.Http]: "infisical-http-proxy",
    [GatewayProxyProtocol.Tcp]: "infisical-tcp-proxy",
@@ -94,7 +97,8 @@ const createGatewayConnection = async (
    minVersion: "TLSv1.2",
    maxVersion: "TLSv1.3",
    rejectUnauthorized: true,
-    ALPNProtocols: [protocolToAlpn[protocol]]
+    ALPNProtocols: [protocolToAlpn[protocol]],
+    checkServerIdentity: appCfg.isDevelopmentMode ? () => undefined : tls.checkServerIdentity
  };

  return new Promise((resolve, reject) => {
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -719,7 +719,8 @@ export const identityKubernetesAuthServiceFactory = ({
      );
    }

-    const shouldUpdateGatewayId = Boolean(gatewayId);
+    // Strict check to see if gateway ID is undefined. It should update the gateway ID to null if its strictly set to null.
+    const shouldUpdateGatewayId = Boolean(gatewayId !== undefined);
    const gatewayIdValue = isGatewayV1 ? gatewayId : null;
    const gatewayV2IdValue = isGatewayV1 ? null : gatewayId;

--- a/helm-charts/infisical-gateway/templates/serviceaccount-token-reviewer.yaml
+++ b/helm-charts/infisical-gateway/templates/serviceaccount-token-reviewer.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.serviceAccount.createAsAuthDelegator .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: {{ include "infisical-gateway.serviceAccountName" . }}-system-auth-delegator-cluster-rolebinding
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:auth-delegator
+subjects:
+    - kind: ServiceAccount
+      name: {{ include "infisical-gateway.serviceAccountName" . }}
+      namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/helm-charts/infisical-gateway/templates/serviceaccount.yaml
+++ b/helm-charts/infisical-gateway/templates/serviceaccount.yaml
@@ -2,6 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  namespace: {{ .Release.Namespace }}
  name: {{ include "infisical-gateway.serviceAccountName" . }}
  labels:
    {{- include "infisical-gateway.labels" . | nindent 4 }}
--- a/helm-charts/infisical-gateway/values.yaml
+++ b/helm-charts/infisical-gateway/values.yaml
@@ -21,6 +21,7 @@ fullnameOverride: ""
 serviceAccount:
  create: true
  automount: true
+  createAsAuthDelegator: true
  annotations: {}
  name: ""