Skip to content

docs: rewrite Kubernetes Operator guide for v1beta1 CRDs#6955

Closed
jakehulberg wants to merge 1 commit into
mainfrom
k8s-operator-v2-guide-check
Closed

docs: rewrite Kubernetes Operator guide for v1beta1 CRDs#6955
jakehulberg wants to merge 1 commit into
mainfrom
k8s-operator-v2-guide-check

Conversation

@jakehulberg

Copy link
Copy Markdown
Contributor

What

Rewrites the Kubernetes Operator guide for the current v1beta1 CRD generation.

  • Pull flow now uses InfisicalConnection + InfisicalAuth + InfisicalStaticSecret (replaces the deprecated InfisicalSecret + token-reviewer-JWT walkthrough).
  • Leads with Kubernetes Auth (the recommended in-cluster method, no long-lived credential stored); documents Universal Auth as the simpler alternative for local testing or unreachable clusters.
  • Keeps InfisicalPushSecret and InfisicalDynamicSecret on v1alpha1 (no v1beta1 replacement yet).
  • Adds a Kubernetes Auth reachability matrix (managed cluster, gateway, local + ngrok, self-hosted).
  • Inlines the manifests so the guide is self-contained (no external demo-repo dependency).

Validation

Run end-to-end on minikube against a self-hosted Infisical:

  • Operator install (chart 0.11.2), all v1beta1 CRDs registered.
  • InfisicalConnection / InfisicalAuth / InfisicalStaticSecret sync; Deployment consumption via envFrom + auto-reload redeploy.
  • Both auth methods (Universal and Kubernetes), including the production CA certificate + TLS-verify token-review path.
  • InfisicalPushSecret via both Universal and Kubernetes Auth.
  • All YAML fields verified against the operator Go structs and the live CRD schemas; dashboard labels and nav verified against the frontend; internal links and anchors verified.

Not yet validated (reviewer please note)

  • InfisicalDynamicSecret section: schema-verified only, not run end-to-end.
  • Dashboard click-throughs: verified against the shipping frontend code, not browser-tested.

Rewrites the guide around the v1beta1 flow (InfisicalConnection,
InfisicalAuth, InfisicalStaticSecret), replacing the deprecated
InfisicalSecret. Leads with Kubernetes Auth (the recommended in-cluster
method) and documents Universal Auth as the simpler alternative. Keeps
InfisicalPushSecret and InfisicalDynamicSecret on v1alpha1. Adds a
Kubernetes Auth reachability matrix.

Validated end-to-end on minikube against a self-hosted Infisical:
operator install, Connection/Auth/StaticSecret sync, deployment
consumption + auto-reload, both auth methods, push, and the production
CA + TLS-verify token review path.
@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-infisical-6955-docs-rewrite-kubernetes-operator-guide-for-v1beta1-crds

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@greptile-apps

greptile-apps Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR rewrites the Kubernetes Operator guide for the current v1beta1 CRD generation, replacing the deprecated InfisicalSecret + token-reviewer-JWT walkthrough with the InfisicalConnection / InfisicalAuth / InfisicalStaticSecret flow, leading with Kubernetes Auth and keeping v1alpha1 for push and dynamic secrets.

  • All YAML manifests are now inlined (no external demo-repo dependency), a reachability matrix for the TokenReview API server is added, and Universal Auth is documented as a secondary path.
  • The ALLOW_INTERNAL_IP_CONNECTIONS=true guidance in the reachability matrix needs a security callout: enabling it lets Infisical reach private-range IPs, which is an SSRF vector for users who can configure Kubernetes Auth methods.
  • The cleanup section does not warn that deletionPolicy: Delete on the InfisicalPushSecret will remove secrets from Infisical on deletion, and it omits commands to remove the reviewer ClusterRoleBinding and service account left behind after helm uninstall.

Confidence Score: 3/5

Documentation is substantially improved but has two user-facing correctness gaps — missing SSRF callout and silent data-loss risk on cleanup — that should be addressed before publishing.

The rewrite is thorough and the manifests are validated against live CRD schemas, but the ALLOW_INTERNAL_IP_CONNECTIONS=true paragraph is missing a warning that could lead operators to enable it without realizing it exposes Infisical's backend as an SSRF proxy for anyone who can edit Kubernetes Auth methods. Separately, the cleanup block will silently delete Infisical-side secrets because deletionPolicy: Delete is set, and the ClusterRoleBinding granting system:auth-delegator is never removed — neither issue is called out in the guide.

docs/documentation/guides/kubernetes-operator.mdx — specifically the reachability warning block (ALLOW_INTERNAL_IP_CONNECTIONS) and the Cleanup section.

Security Review

  • SSRF via ALLOW_INTERNAL_IP_CONNECTIONS=true (kubernetes-operator.mdx line 149): the guide instructs users to enable this flag on their Infisical instance so Infisical can reach a private-IP Kubernetes API server for TokenReview calls. With the flag on, any user who can configure a Kubernetes Auth method can supply an arbitrary internal address as the Kubernetes Host (e.g., http://169.254.169.254 on cloud VMs) and trigger outbound requests from the Infisical backend to that address. The guide does not warn about this or recommend restricting who can manage Kubernetes Auth methods when the flag is in use.

Important Files Changed

Filename Overview
docs/documentation/guides/kubernetes-operator.mdx Full rewrite of the Kubernetes Operator guide for v1beta1 CRDs; introduces inline YAML manifests and a reachability matrix, but the ALLOW_INTERNAL_IP_CONNECTIONS=true guidance lacks an SSRF warning, and the cleanup section omits commands for RBAC resources and doesn't warn that deletionPolicy:Delete will remove secrets from Infisical.

Reviews (1): Last reviewed commit: "docs: rewrite Kubernetes Operator guide ..." | Re-trigger Greptile

| Managed cluster (EKS, GKE, AKS, OpenShift) | Use the API server's public or peered endpoint and supply its CA certificate with verification on. This is the production path. |
| No inbound access allowed | Set **Review Mode** to **Gateway as Reviewer**, so an in-cluster [Gateway](/documentation/platform/gateways/overview) performs the TokenReview locally. Gateway is an Enterprise feature. |
| Infisical Cloud + a local cluster (minikube, kind) | Expose the API server through a public hostname (for example an `ngrok` tunnel): a public host passes Infisical's host validation and is reachable for the TokenReview. Leave the CA certificate empty only for local testing, which disables TLS verification. |
| Self-hosted Infisical that routes to the cluster on a private IP | Set `ALLOW_INTERNAL_IP_CONNECTIONS=true` on the Infisical instance and use the API server's IP. When you save the auth method, Infisical otherwise rejects private IPs and always rejects the literal hostnames `localhost` and `host.docker.internal`. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security SSRF risk from ALLOW_INTERNAL_IP_CONNECTIONS=true not called out

Setting ALLOW_INTERNAL_IP_CONNECTIONS=true on the Infisical instance removes the guard that blocks private-range destinations from the TokenReview outbound call. Any user with permission to configure a Kubernetes Auth method can then point the Kubernetes Host field at an arbitrary internal address (e.g., 169.254.169.254 on AWS/GCP, or any internal admin service) and cause Infisical's backend to make requests to it. The paragraph should note that access to create or edit Kubernetes Auth methods should be restricted when this flag is enabled.

Comment on lines +432 to +445
## Cleanup

```bash
kubectl delete infisicalstaticsecret lab-static-secret
kubectl delete infisicalpushsecret lab-push
kubectl delete infisicaldynamicsecret lab-dynamic-secret
kubectl delete infisicalauth lab-auth
kubectl delete infisicalconnection lab-connection
helm uninstall infisical-operator -n infisical-operator
```

**Congratulations! You successfully managed secrets with Kubernetes.** No newline at end of file
<Note>
Managed Secrets created with `creationPolicy: Owner` are removed with their owning CRD. Secrets created with `Orphan`, the reviewer service account, and the operator's own namespace are not removed by `helm uninstall`.
</Note>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Cleanup silently deletes Infisical secrets via deletionPolicy: Delete

The guide configures InfisicalPushSecret with deletionPolicy: Delete (line 364). Running kubectl delete infisicalpushsecret lab-push will therefore also delete the pushed keys from the Infisical project — not just the in-cluster resource. A user running the cleanup block without being aware of this will lose the PUSHED_KEY and ANOTHER_KEY secrets server-side. A one-line warning before the cleanup commands (or inline with the deletionPolicy explanation) would prevent accidental data loss.

Comment on lines +432 to +445
## Cleanup

```bash
kubectl delete infisicalstaticsecret lab-static-secret
kubectl delete infisicalpushsecret lab-push
kubectl delete infisicaldynamicsecret lab-dynamic-secret
kubectl delete infisicalauth lab-auth
kubectl delete infisicalconnection lab-connection
helm uninstall infisical-operator -n infisical-operator
```

**Congratulations! You successfully managed secrets with Kubernetes.** No newline at end of file
<Note>
Managed Secrets created with `creationPolicy: Owner` are removed with their owning CRD. Secrets created with `Orphan`, the reviewer service account, and the operator's own namespace are not removed by `helm uninstall`.
</Note>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Reviewer RBAC resources are not cleaned up and no commands are provided

The closing <Note> correctly states the reviewer service account is not removed by helm uninstall, but it gives users no commands to do it themselves. After following the guide, three resources remain: ServiceAccount/infisical-service-account, Secret/infisical-service-account-token, and ClusterRoleBinding/infisical-service-account-role-binding. The ClusterRoleBinding grants system:auth-delegator cluster-wide; leaving it dangling after the operator is uninstalled is unnecessary privilege. Similarly, the demo Deployment/demo-app is not listed.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ac803934e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +159 to +160
kubectl create secret generic kubernetes-credentials \
--from-literal=identityId="<your-machine-identity-id>"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin credential secrets to the referenced namespace

When the user's current kubectl namespace is not default (-n is the namespace scope for the request per the kubectl docs), this command creates kubernetes-credentials in the wrong namespace, while the following InfisicalAuth hard-codes identityIdRef.namespace: default. In that context the operator cannot find the Secret and authentication stays NotReady; add -n default here (and to the Universal Auth credentials command later) or avoid hard-coding default in the references.

Useful? React with 👍 / 👎.

@mintlify

mintlify Bot commented Jun 19, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
infisical 🟢 Ready View Preview Jun 19, 2026, 9:23 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant