mirror of
https://github.com/Infisical/infisical.git
synced 2026-01-08 23:18:05 -05:00
115 lines
3.7 KiB
YAML
115 lines
3.7 KiB
YAML
apiVersion: secrets.infisical.com/v1alpha1
|
|
kind: InfisicalSecret
|
|
metadata:
|
|
name: infisicalsecret-sample
|
|
labels:
|
|
label-to-be-passed-to-managed-secret: sample-value
|
|
annotations:
|
|
example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
|
|
spec:
|
|
hostAPI: https://app.infisical.com/api
|
|
resyncInterval: 10
|
|
# tls:
|
|
# caRef:
|
|
# secretName: custom-ca-certificate
|
|
# secretNamespace: default
|
|
# key: ca.crt
|
|
authentication:
|
|
# Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
|
|
# If you have multiple authentication methods defined, it may cause issues.
|
|
|
|
# (Deprecated) Service Token Auth
|
|
serviceToken:
|
|
serviceTokenSecretReference:
|
|
secretName: service-token
|
|
secretNamespace: default
|
|
secretsScope:
|
|
envSlug: <env-slug>
|
|
secretsPath: <secrets-path>
|
|
recursive: true
|
|
|
|
# Universal Auth
|
|
universalAuth:
|
|
secretsScope:
|
|
projectSlug: new-ob-em
|
|
envSlug: dev # "dev", "staging", "prod", etc..
|
|
secretsPath: "/" # Root is "/"
|
|
recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
|
|
credentialsRef:
|
|
secretName: universal-auth-credentials
|
|
secretNamespace: default
|
|
|
|
# Native Kubernetes Auth
|
|
kubernetesAuth:
|
|
identityId: <machine-identity-id>
|
|
serviceAccountTokenPath: "/path/to/your/service-account/token" # Optional, defaults to /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
secretsScope:
|
|
projectSlug: your-project-slug
|
|
envSlug: prod
|
|
secretsPath: "/path"
|
|
recursive: true
|
|
|
|
# AWS IAM Auth
|
|
awsIamAuth:
|
|
identityId: <your-machine-identity-id>
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
secretsScope:
|
|
projectSlug: your-project-slug
|
|
envSlug: prod
|
|
secretsPath: "/path"
|
|
recursive: true
|
|
|
|
# Azure Auth
|
|
azureAuth:
|
|
identityId: <your-machine-identity-id>
|
|
resource: https://management.azure.com/&client_id=your_client_id # This field is optional, and will default to "https://management.azure.com/" if nothing is provided.
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
secretsScope:
|
|
projectSlug: your-project-slug
|
|
envSlug: prod
|
|
secretsPath: "/path"
|
|
recursive: true
|
|
|
|
# GCP ID Token Auth
|
|
gcpIdTokenAuth:
|
|
identityId: <your-machine-identity-id>
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
secretsScope:
|
|
projectSlug: your-project-slug
|
|
envSlug: prod
|
|
secretsPath: "/path"
|
|
recursive: true
|
|
|
|
# GCP IAM Auth
|
|
gcpIamAuth:
|
|
identityId: <your-machine-identity-id>
|
|
serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json"
|
|
|
|
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
|
|
secretsScope:
|
|
projectSlug: your-project-slug
|
|
envSlug: prod
|
|
secretsPath: "/path"
|
|
recursive: true
|
|
|
|
managedSecretReference:
|
|
secretName: managed-secret
|
|
secretNamespace: default
|
|
template:
|
|
includeAllSecrets: true
|
|
data:
|
|
SSH_KEY: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"
|
|
BINARY_KEY: "{{ decodeBase64ToBytes .BINARY_KEY_BASE64.Value }}"
|
|
creationPolicy: "Orphan" ## Owner | Orphan
|
|
# secretType: kubernetes.io/dockerconfigjson
|
|
|
|
# # To be depreciated soon
|
|
# tokenSecretReference:
|
|
# secretName: service-token
|
|
# secretNamespace: default
|