chore: Add infisical

kubernetes/apps/security/infisical/app.ks.yaml

@@ -0,0 +1,24 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app infisical
+  namespace: &namespace security
+spec:
+  targetNamespace: *namespace
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/security/infisical/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  postBuild:
+    substituteFrom:
+      - name: cluster-secrets
+        kind: Secret

kubernetes/apps/security/infisical/app/helmrelease.yaml

@@ -0,0 +1,69 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: infisical
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: infisical
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  valuesFrom:
+    - kind: Secret
+      name: infisical-secret
+      valuesKey: encryptionKey
+      targetPath: infisical.encryptionKey
+    - kind: Secret
+      name: infisical-secret
+      valuesKey: authSecret
+      targetPath: infisical.authSecret
+    - kind: Secret
+      name: infisical-secret
+      valuesKey: dbPassword
+      targetPath: postgresql.auth.password
+  values:
+    fullnameOverride: infisical
+    infisical:
+      enabled: true
+      name: infisical
+      podAnnotations:
+        reloader.stakater.com/auto: "true"
+    frontend:
+      enabled: true
+      name: infisical-frontend
+      image:
+        repository: infisical/frontend
+        tag: v0.112.0
+        pullPolicy: IfNotPresent
+      service:
+        type: ClusterIP
+        port: 80
+    backend:
+      enabled: true
+      name: infisical-backend
+      image:
+        repository: infisical/backend
+        tag: v0.112.0
+        pullPolicy: IfNotPresent
+      service:
+        type: ClusterIP
+        port: 4000
+    postgresql:
+      enabled: true
+      auth:
+        username: infisical
+        database: infisical
+    redis:
+      enabled: true
+      auth:
+        enabled: false

kubernetes/apps/security/infisical/app/httproute.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  labels:
+    app.kubernetes.io/instance: infisical
+    app.kubernetes.io/name: infisical
+    app.kubernetes.io/part-of: infisical
+  name: infisical
+spec:
+  hostnames:
+    - "{{ .Release.Name }}.${SECRET_DOMAIN}"
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: envoy-internal
+      namespace: network
+  rules:
+    - backendRefs:
+        - name: infisical-frontend
+          port: 80

kubernetes/apps/security/infisical/app/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./httproute.yaml
+  - ./ocirepository.yaml
+  - ./secret.sops.yaml

kubernetes/apps/security/infisical/app/ocirepository.yaml

@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: infisical
+spec:
+  interval: 1h
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 0.10.2
+  url: oci://registry-1.docker.io/infisical/helm-charts/infisical

kubernetes/apps/security/infisical/app/secret.sops.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: infisical-secret
+type: Opaque
+stringData:
+    encryptionKey: ENC[AES256_GCM,data:cNaAqCxdQE5meUoml4R8Ii5tztvmSJJ2td9StVTDHKE=,iv:6rPAL5kXj6V9NrVVSmjpflClZl4UlViH3Tz5mwDbX1o=,tag:5F9fLW6luASQl4+JKLxjew==,type:str]
+    authSecret: ENC[AES256_GCM,data:3hADiy5vLh9uo74jGuqdTgynuqsrBMAtwvcbbPCg86A=,iv:NlP1kvKZd3EdJ0m3s/TMr0+rDSS1GU3DchZqBM7vm/Y=,tag:YpcRppitTtZhGruW7qQE9w==,type:str]
+    dbPassword: ENC[AES256_GCM,data:22uf5hnP+E+DvKvW3PvtcR7WRNcoJTifJOkq5aug97k=,iv:29mY7o4tAs4zkREJS5JwIQnUQmNJ5iHfFGEWMN8R43M=,tag:tgDrF6aWeMbIjkETlf0B8g==,type:str]
+sops:
+    age:
+        - recipient: age1yzrqhl9dk8ljswpmzsqme3enad5kxxhsptdvecy3lwlq0ms80gaqxrctst
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvK2NQczMxUy9PME5IN2Er
+            Q0hQNGxZQjBBeDBRT2ZiOG5FVHhHRFl0Wkc0CkRyL2JVcDJUbk9YZmNKaW14N1lu
+            UGUreXlCMTVTRjZJT0U5c1dMd3FtNlEKLS0tIG4xclFDeGEwOW14RWJvSVJacUk3
+            dkk2SHpZNzd1UzRWR3cwZ1RjbGluaHcK8aIyAZ5t/vdYcQcF3QHLQ2XPPKJv6QjJ
+            XsJ/hWxJW7bwlL3/LHhBfJBBqd/RDFQ4GooQkZ/YWsK3MnV9P8l5/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-24T18:00:21Z"
+    mac: ENC[AES256_GCM,data:95O/ulpjlExnMXa1I/K02UzJXYpQd8SxbeNUTfOiAEbAI2DRKaHs5QDybsCDxJza5izGJJN1g8S299WlunxYeoB66FNn2YcyeySDohpG4eqLwX9ivDUscsv1nyK1/fa3BrkedT8hz1klAyaig4WwnyhjHcjxT8lMNN/v2WkPAWU=,iv:kgCOh7Be5ImdlUn3PhXjgPXGG2vyvRVeO+Qi2Aoytk8=,tag:bPb182wTMQVV9vODLT//YQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    version: 3.12.1

kubernetes/apps/security/infisical/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./app.ks.yaml

kubernetes/apps/security/kustomization.yaml

@@ -1,10 +1,11 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: system-upgrade
+namespace: security
 
 resources:
   - ./namespace.yaml
+  - ./infisical
 
 # External secrets should be implemented.
 # Most popular is 1password, but it's paid