From 14ab7d1a26466b758e1b80e4f29da6993772f646 Mon Sep 17 00:00:00 2001
From: Laur IVAN <laur.ivan@ec.europa.eu>
Date: Tue, 24 Feb 2026 23:28:41 +0100
Subject: [PATCH] fix(infisical): update chart to 0.4.2, migrate to MongoDB
 schema

---
 .../security/infisical/app/helmrelease.yaml   | 46 ++++++-------------
 .../security/infisical/app/httproute.yaml     |  4 +-
 2 files changed, 15 insertions(+), 35 deletions(-)

diff --git a/kubernetes/apps/security/infisical/app/helmrelease.yaml b/kubernetes/apps/security/infisical/app/helmrelease.yaml
index a70d080..715922a 100644
--- a/kubernetes/apps/security/infisical/app/helmrelease.yaml
+++ b/kubernetes/apps/security/infisical/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: infisical
-      version: 0.10.2
+      version: 0.4.2
       sourceRef:
         kind: HelmRepository
         name: infisical
@@ -23,51 +23,31 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
+  # Map existing secret keys to the new chart's backendEnvironmentVariables paths.
+  # The old chart used infisical.encryptionKey / infisical.authSecret;
+  # the new chart (0.4.x) uses backendEnvironmentVariables.ENCRYPTION_KEY / AUTH_SECRET.
   valuesFrom:
     - kind: Secret
       name: infisical-secret
       valuesKey: encryptionKey
-      targetPath: infisical.encryptionKey
+      targetPath: backendEnvironmentVariables.ENCRYPTION_KEY
     - kind: Secret
       name: infisical-secret
       valuesKey: authSecret
-      targetPath: infisical.authSecret
-    - kind: Secret
-      name: infisical-secret
-      valuesKey: dbPassword
-      targetPath: postgresql.auth.password
+      targetPath: backendEnvironmentVariables.JWT_AUTH_SECRET
   values:
     fullnameOverride: *name
-    infisical:
-      enabled: true
-      name: *name
-      podAnnotations:
-        reloader.stakater.com/auto: "true"
-    frontend:
-      enabled: true
-      name: infisical-frontend
-      image:
-        repository: infisical/frontend
-        tag: v0.112.0
-        pullPolicy: IfNotPresent
-      service:
-        type: ClusterIP
-        port: 80
     backend:
       enabled: true
-      name: infisical-backend
-      image:
-        repository: infisical/backend
-        tag: v0.112.0
-        pullPolicy: IfNotPresent
-      service:
-        type: ClusterIP
-        port: 4000
-    postgresql:
+      replicaCount: 1
+      podAnnotations:
+        reloader.stakater.com/auto: "true"
+    backendEnvironmentVariables:
+      SITE_URL: https://infisical.laurivan.com
+    mongodb:
       enabled: true
       auth:
-        username: *name
-        database: *name
+        enabled: false
     redis:
       enabled: true
       auth:
diff --git a/kubernetes/apps/security/infisical/app/httproute.yaml b/kubernetes/apps/security/infisical/app/httproute.yaml
index e6f73de..a8bc38c 100644
--- a/kubernetes/apps/security/infisical/app/httproute.yaml
+++ b/kubernetes/apps/security/infisical/app/httproute.yaml
@@ -17,5 +17,5 @@ spec:
       namespace: network
   rules:
     - backendRefs:
-        - name: infisical-frontend
-          port: 80
+        - name: infisical-backend
+          port: 8080