Skip to content

Latest commit

 

History

History
85 lines (67 loc) · 5.95 KB

README.md

File metadata and controls

85 lines (67 loc) · 5.95 KB
Raw

Infisical Secrets Operator

A timoni.sh module for deploying the Infisical Secrets Operator to Kubernetes clusters.

Install

To create an instance using the default values:

timoni -n default apply infisical-secrets-operator oci://<container-registry-url>

To change the default configuration, create one or more values.cue files and apply them to the instance.

For example, create a file my-values.cue with the following content:

values: {
	resources: requests: {
		cpu:    "100m"
		memory: "128Mi"
	}
}

And apply the values with:

timoni -n default apply infisical-secrets-operator oci://<container-registry-url> \
--values ./my-values.cue

Uninstall

To uninstall an instance and delete all its Kubernetes resources:

timoni -n default delete infisical

Configuration

General values

Key Type Default Description
image: manager: tag: string <latest version> Container image tag
image: manager: digest: string <latest digest> Container image digest, takes precedence over tag when specified
image: manager: repository: string infisical/kubernetes-operator Container image repository
image: manager: pullPolicy: string IfNotPresent Kubernetes image pull policy
metadata: labels: {[ string]: string} {} Common labels for all resources
metadata: annotations: {[ string]: string} {} Common annotations for all resources
podAnnotations: {[ string]: string} {} Annotations applied to pods
imagePullSecrets: [...timoniv1.ObjectReference] [] Kubernetes image pull secrets
tolerations: [ ...corev1.#Toleration] [] Kubernetes toleration
affinity: corev1.#Affinity {} Kubernetes affinity and anti-affinity
resources: timoniv1.#ResourceRequirements {} Kubernetes resource requests and limits
topologySpreadConstraints: [...corev1.#TopologySpreadConstraint] [] Kubernetes pod topology spread constraints
podSecurityContext: corev1.#PodSecurityContext {} Kubernetes pod security context
securityContext: corev1.#SecurityContext {} Kubernetes container security context
service: annotations: {[ string]: string} {} Annotations applied to the Kubernetes Service
service: port: int 80 Kubernetes Service HTTP port
test: enabled: bool false Run end-to-end tests at install and upgrades

Recommended values

Comply with the restricted Kubernetes pod security standard:

values: {
	podSecurityContext: {
		runAsUser:  65532
		runAsGroup: 65532
		fsGroup:    65532
	}
	securityContext: {
		allowPrivilegeEscalation: false
		readOnlyRootFilesystem:   false
		runAsNonRoot:             true
		capabilities: drop: ["ALL"]
		seccompProfile: type: "RuntimeDefault"
	}
}