search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
13k stars 677 forks source link

[ENG-142] Add labels/annotations support on generated Kubernetes Secrets #1042

Open asoc opened 9 months ago

asoc commented 9 months ago

Feature description

I would like the ability to specify labels and annotations that should be added to the generated Secret resource.

Why would it be useful?

Some applications use labels/annotations for management or tracking purposes. For a specific example, ArgoCD supports declaring repository credentials via Secrets but requires a specific label on the Secret for it to be usable. https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repository-credentials

Example from the link:

apiVersion: v1
kind: Secret
metadata:
  name: private-repo-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repo-creds
stringData:
  type: git
  url: https://github.com/argoproj
  password: my-password
  username: my-username

From SyncLinear.com | ENG-142

Brutus5000 commented 7 months ago

Damn came looking for a label solution exactly because of ArgoCD.

maidul98 commented 7 months ago

Labels from InfisicalSecret are now propagated to the manged secret that get created https://infisical.com/docs/integrations/platforms/kubernetes#propagating-labels-and-annotations

mateuszkozakiewicz commented 6 months ago

This is confusing for me. Now one of the propagated labels is:

labels:
    argocd.argoproj.io/instance: example-argo-application

however the InfisicalSecret doesn't set ownerReference on the created secret so ArgoCD assumes new secret resource is not part of the example-argo-application Application and immediately deletes it? A workaround is to pass an annotation like this

annotations:
    argocd.argoproj.io/sync-options: Prune=false

but this makes an app forever out of sync.

What am I missing here?

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisical-test-secret
  namespace: infisical
  annotations:
    argocd.argoproj.io/sync-options: Prune=false    <---- this is needed to make this work at all
spec:
  hostAPI: https://app.infisical.com/api
  resyncInterval: 60
  authentication:
    serviceToken:
      serviceTokenSecretReference:
        secretName: infisical-service-token
        secretNamespace: infisical
      secretsScope:
        envSlug: prod
        secretsPath: "/test"
  managedSecretReference:
    secretName: test-secret
    secretNamespace: infisical

Currently best solution I found is to roll back to v0.3.0 operator image

maidul98 commented 6 months ago

@matti-kz The issue should be fixed now as the secret that gets created will have owner reference. Can you let us know if it is working for you?

mateuszkozakiewicz commented 6 months ago

Hello, yes this fixes the issue thank you. You should probably also note that this is introducing an additional requirement, now InfisicalSecret resource needs to be in the same namespace as the created secret because cross-namespace ownership is not supported - but your helm chart is using the latest image tag which will introduce some changes for your current users, ideally helm charts version should come bundled with a specific image tag.