diff --git a/kubernetes/apps/security/infisical/app.ks.yaml b/kubernetes/apps/security/infisical/app.ks.yaml new file mode 100644 index 0000000..f5192b9 --- /dev/null +++ b/kubernetes/apps/security/infisical/app.ks.yaml @@ -0,0 +1,24 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app infisical + namespace: &namespace security +spec: + targetNamespace: *namespace + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/security/infisical/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + interval: 1h + retryInterval: 2m + timeout: 5m + postBuild: + substituteFrom: + - name: cluster-secrets + kind: Secret diff --git a/kubernetes/apps/security/infisical/app/helmrelease.yaml b/kubernetes/apps/security/infisical/app/helmrelease.yaml new file mode 100644 index 0000000..74470c7 --- /dev/null +++ b/kubernetes/apps/security/infisical/app/helmrelease.yaml @@ -0,0 +1,69 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: infisical +spec: + interval: 1h + chartRef: + kind: OCIRepository + name: infisical + driftDetection: + mode: enabled + install: + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: Secret + name: infisical-secret + valuesKey: encryptionKey + targetPath: infisical.encryptionKey + - kind: Secret + name: infisical-secret + valuesKey: authSecret + targetPath: infisical.authSecret + - kind: Secret + name: infisical-secret + valuesKey: dbPassword + targetPath: postgresql.auth.password + values: + fullnameOverride: infisical + infisical: + enabled: true + name: infisical + podAnnotations: + reloader.stakater.com/auto: "true" + frontend: + enabled: true + name: infisical-frontend + image: + repository: infisical/frontend + tag: v0.112.0 + pullPolicy: IfNotPresent + service: + type: ClusterIP + port: 80 + backend: + enabled: true + name: infisical-backend + image: + repository: infisical/backend + tag: v0.112.0 + pullPolicy: IfNotPresent + service: + type: ClusterIP + port: 4000 + postgresql: + enabled: true + auth: + username: infisical + database: infisical + redis: + enabled: true + auth: + enabled: false diff --git a/kubernetes/apps/security/infisical/app/httproute.yaml b/kubernetes/apps/security/infisical/app/httproute.yaml new file mode 100644 index 0000000..d592e16 --- /dev/null +++ b/kubernetes/apps/security/infisical/app/httproute.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/instance: infisical + app.kubernetes.io/name: infisical + app.kubernetes.io/part-of: infisical + name: infisical +spec: + hostnames: + - "{{ .Release.Name }}.${SECRET_DOMAIN}" + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: envoy-internal + namespace: network + rules: + - backendRefs: + - name: infisical-frontend + port: 80 diff --git a/kubernetes/apps/security/infisical/app/kustomization.yaml b/kubernetes/apps/security/infisical/app/kustomization.yaml new file mode 100644 index 0000000..e03bf8a --- /dev/null +++ b/kubernetes/apps/security/infisical/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./httproute.yaml + - ./ocirepository.yaml + - ./secret.sops.yaml diff --git a/kubernetes/apps/security/infisical/app/ocirepository.yaml b/kubernetes/apps/security/infisical/app/ocirepository.yaml new file mode 100644 index 0000000..0811234 --- /dev/null +++ b/kubernetes/apps/security/infisical/app/ocirepository.yaml @@ -0,0 +1,14 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: infisical +spec: + interval: 1h + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy + ref: + tag: 0.10.2 + url: oci://registry-1.docker.io/infisical/helm-charts/infisical diff --git a/kubernetes/apps/security/infisical/app/secret.sops.yaml b/kubernetes/apps/security/infisical/app/secret.sops.yaml new file mode 100644 index 0000000..7565132 --- /dev/null +++ b/kubernetes/apps/security/infisical/app/secret.sops.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Secret +metadata: + name: infisical-secret +type: Opaque +stringData: + encryptionKey: ENC[AES256_GCM,data:cNaAqCxdQE5meUoml4R8Ii5tztvmSJJ2td9StVTDHKE=,iv:6rPAL5kXj6V9NrVVSmjpflClZl4UlViH3Tz5mwDbX1o=,tag:5F9fLW6luASQl4+JKLxjew==,type:str] + authSecret: ENC[AES256_GCM,data:3hADiy5vLh9uo74jGuqdTgynuqsrBMAtwvcbbPCg86A=,iv:NlP1kvKZd3EdJ0m3s/TMr0+rDSS1GU3DchZqBM7vm/Y=,tag:YpcRppitTtZhGruW7qQE9w==,type:str] + dbPassword: ENC[AES256_GCM,data:22uf5hnP+E+DvKvW3PvtcR7WRNcoJTifJOkq5aug97k=,iv:29mY7o4tAs4zkREJS5JwIQnUQmNJ5iHfFGEWMN8R43M=,tag:tgDrF6aWeMbIjkETlf0B8g==,type:str] +sops: + age: + - recipient: age1yzrqhl9dk8ljswpmzsqme3enad5kxxhsptdvecy3lwlq0ms80gaqxrctst + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvK2NQczMxUy9PME5IN2Er + Q0hQNGxZQjBBeDBRT2ZiOG5FVHhHRFl0Wkc0CkRyL2JVcDJUbk9YZmNKaW14N1lu + UGUreXlCMTVTRjZJT0U5c1dMd3FtNlEKLS0tIG4xclFDeGEwOW14RWJvSVJacUk3 + dkk2SHpZNzd1UzRWR3cwZ1RjbGluaHcK8aIyAZ5t/vdYcQcF3QHLQ2XPPKJv6QjJ + XsJ/hWxJW7bwlL3/LHhBfJBBqd/RDFQ4GooQkZ/YWsK3MnV9P8l5/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-24T18:00:21Z" + mac: ENC[AES256_GCM,data:95O/ulpjlExnMXa1I/K02UzJXYpQd8SxbeNUTfOiAEbAI2DRKaHs5QDybsCDxJza5izGJJN1g8S299WlunxYeoB66FNn2YcyeySDohpG4eqLwX9ivDUscsv1nyK1/fa3BrkedT8hz1klAyaig4WwnyhjHcjxT8lMNN/v2WkPAWU=,iv:kgCOh7Be5ImdlUn3PhXjgPXGG2vyvRVeO+Qi2Aoytk8=,tag:bPb182wTMQVV9vODLT//YQ==,type:str] + encrypted_regex: ^(data|stringData)$ + mac_only_encrypted: true + version: 3.12.1 diff --git a/kubernetes/apps/security/infisical/kustomization.yaml b/kubernetes/apps/security/infisical/kustomization.yaml new file mode 100644 index 0000000..7aacfdb --- /dev/null +++ b/kubernetes/apps/security/infisical/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./app.ks.yaml diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml index eca2d6a..b852a8c 100644 --- a/kubernetes/apps/security/kustomization.yaml +++ b/kubernetes/apps/security/kustomization.yaml @@ -1,10 +1,11 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: system-upgrade +namespace: security resources: - ./namespace.yaml + - ./infisical # External secrets should be implemented. # Most popular is 1password, but it's paid