allow host api in spec and update spec names

.github/workflows/release_docker_k8_operator.yaml

@@ -26,16 +26,4 @@ jobs:
           context: k8-operator
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: infisical/kubernetes-operator:latest
-
-      - uses: actions/setup-go@v2
-
-      - name: Generate YAML for Kubectl
-        run: make dist charts
-
-      - name: Upload CRD manifest
-        uses: svenstaro/upload-release-action@v2
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: dist/install-secrets-operator.yaml
-          tag: ${{ github.ref }}
+          tags: infisical/kubernetes-operator:latest

helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml

@@ -38,7 +38,11 @@ spec:
               environment:
                 description: The Infisical environment such as dev, prod, testing
                 type: string
-              infisicalToken:
+              hostAPI:
+                default: https://app.infisical.com/api
+                description: Infisical host to pull secrets from
+                type: string
+              managedSecretReference:
                 properties:
                   secretName:
                     description: The name of the Kubernetes Secret
@@ -50,7 +54,10 @@ spec:
                 - secretName
                 - secretNamespace
                 type: object
-              managedSecret:
+              projectId:
+                description: The Infisical project id
+                type: string
+              tokenSecretReference:
                 properties:
                   secretName:
                     description: The name of the Kubernetes Secret
@@ -62,9 +69,6 @@ spec:
                 - secretName
                 - secretNamespace
                 type: object
-              projectId:
-                description: The Infisical project id
-                type: string
             required:
             - environment
             - projectId

k8-operator/api/v1alpha1/infisicalsecret_types.go

@@ -16,8 +16,8 @@ type KubeSecretReference struct {
 
 // InfisicalSecretSpec defines the desired state of InfisicalSecret
 type InfisicalSecretSpec struct {
-	InfisicalToken KubeSecretReference `json:"infisicalToken,omitempty"`
-	ManagedSecret  KubeSecretReference `json:"managedSecret,omitempty"`
+	TokenSecretReference   KubeSecretReference `json:"tokenSecretReference,omitempty"`
+	ManagedSecretReference KubeSecretReference `json:"managedSecretReference,omitempty"`
 
 	// The Infisical project id
 	// +kubebuilder:validation:Required
@@ -26,6 +26,10 @@ type InfisicalSecretSpec struct {
 	// The Infisical environment such as dev, prod, testing
 	// +kubebuilder:validation:Required
 	Environment string `json:"environment"`
+
+	// Infisical host to pull secrets from
+	// +kubebuilder:default="https://app.infisical.com/api"
+	HostAPI string `json:"hostAPI,omitempty"`
 }
 
 // InfisicalSecretStatus defines the observed state of InfisicalSecret

k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml

@@ -38,7 +38,11 @@ spec:
               environment:
                 description: The Infisical environment such as dev, prod, testing
                 type: string
-              infisicalToken:
+              hostAPI:
+                default: https://app.infisical.com/api
+                description: Infisical host to pull secrets from
+                type: string
+              managedSecretReference:
                 properties:
                   secretName:
                     description: The name of the Kubernetes Secret
@@ -50,7 +54,10 @@ spec:
                 - secretName
                 - secretNamespace
                 type: object
-              managedSecret:
+              projectId:
+                description: The Infisical project id
+                type: string
+              tokenSecretReference:
                 properties:
                   secretName:
                     description: The name of the Kubernetes Secret
@@ -62,9 +69,6 @@ spec:
                 - secretName
                 - secretNamespace
                 type: object
-              projectId:
-                description: The Infisical project id
-                type: string
             required:
             - environment
             - projectId

k8-operator/config/default/kustomization.yaml

@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: k8-operator-system
+namespace: infisical-operator-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: k8-operator-
+namePrefix: infisical-operator-
 
 # Labels to add to all resources and selectors.
 #commonLabels:

k8-operator/config/samples/sample.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample
+  # namespace: first-project
+spec:
+  projectId: 62faf98ae0b05e8529b5da46
+  environment: dev
+  tokenSecretReference:
+    secretName: service-token
+    secretNamespace: first-project
+  managedSecretReference:
+    secretName: managed-secret
+    secretNamespace: first-project

k8-operator/controllers/infisicalsecret_controller.go

@@ -36,14 +36,16 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	var infisicalSecretCR v1alpha1.InfisicalSecret
 	err := r.Get(ctx, req.NamespacedName, &infisicalSecretCR)
 
+	requeueTime := time.Minute * 5
+
 	if err != nil {
 		if errors.IsNotFound(err) {
 			log.Info("Infisical Secret not found")
 			return ctrl.Result{}, nil
 		} else {
 			log.Error(err, "Unable to fetch Infisical Secret from cluster. Will retry")
 			return ctrl.Result{
-				RequeueAfter: time.Minute,
+				RequeueAfter: requeueTime,
 			}, nil
 		}
 	}
@@ -58,13 +60,13 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	if err != nil {
 		log.Error(err, "Unable to reconcile Infisical Secret and will try again")
 		return ctrl.Result{
-			RequeueAfter: time.Minute,
+			RequeueAfter: requeueTime,
 		}, nil
 	}
 
 	// Sync again after the specified time
 	return ctrl.Result{
-		RequeueAfter: time.Minute,
+		RequeueAfter: requeueTime,
 	}, nil
 }
 

k8-operator/controllers/infisicalsecret_helper.go

@@ -29,12 +29,12 @@ func (r *InfisicalSecretReconciler) GetKubeSecretByNamespacedName(ctx context.Co
 
 func (r *InfisicalSecretReconciler) GetInfisicalToken(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret) (string, error) {
 	tokenSecret, err := r.GetKubeSecretByNamespacedName(ctx, types.NamespacedName{
-		Namespace: infisicalSecret.Spec.InfisicalToken.SecretNamespace,
-		Name:      infisicalSecret.Spec.InfisicalToken.SecretName,
+		Namespace: infisicalSecret.Spec.TokenSecretReference.SecretNamespace,
+		Name:      infisicalSecret.Spec.TokenSecretReference.SecretName,
 	})
 
 	if err != nil {
-		return "", fmt.Errorf("failed to read Infisical token secret from secret named [%s] in namespace [%s]: with error [%w]", infisicalSecret.Spec.ManagedSecret.SecretName, infisicalSecret.Spec.ManagedSecret.SecretNamespace, err)
+		return "", fmt.Errorf("failed to read Infisical token secret from secret named [%s] in namespace [%s]: with error [%w]", infisicalSecret.Spec.ManagedSecretReference.SecretName, infisicalSecret.Spec.ManagedSecretReference.SecretNamespace, err)
 	}
 
 	infisicalServiceToken := tokenSecret.Data[INFISICAL_TOKEN_SECRET_KEY_NAME]
@@ -54,8 +54,8 @@ func (r *InfisicalSecretReconciler) CreateInfisicalManagedKubeSecret(ctx context
 	// create a new secret as specified by the managed secret spec of CRD
 	newKubeSecretInstance := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      infisicalSecret.Spec.ManagedSecret.SecretName,
-			Namespace: infisicalSecret.Spec.ManagedSecret.SecretNamespace,
+			Name:      infisicalSecret.Spec.ManagedSecretReference.SecretName,
+			Namespace: infisicalSecret.Spec.ManagedSecretReference.SecretNamespace,
 		},
 		Type: "Opaque",
 		Data: plainProcessedSecrets,
@@ -94,15 +94,15 @@ func (r *InfisicalSecretReconciler) ReconcileInfisicalSecret(ctx context.Context
 	}
 
 	managedKubeSecret, err := r.GetKubeSecretByNamespacedName(ctx, types.NamespacedName{
-		Name:      infisicalSecret.Spec.ManagedSecret.SecretName,
-		Namespace: infisicalSecret.Spec.ManagedSecret.SecretNamespace,
+		Name:      infisicalSecret.Spec.ManagedSecretReference.SecretName,
+		Namespace: infisicalSecret.Spec.ManagedSecretReference.SecretNamespace,
 	})
 
 	if err != nil && !errors.IsNotFound(err) {
 		return fmt.Errorf("something went wrong when fetching the managed Kubernetes secret [%w]", err)
 	}
 
-	secretsFromApi, err := api.GetAllEnvironmentVariables(infisicalSecret.Spec.ProjectId, infisicalSecret.Spec.Environment, infisicalToken)
+	secretsFromApi, err := api.GetAllEnvironmentVariables(infisicalSecret.Spec.ProjectId, infisicalSecret.Spec.Environment, infisicalToken, infisicalSecret.Spec.HostAPI)
 
 	if err != nil {
 		return err