feat: automatically configure k8s authentication

[varonix0]

This PR adds support for automatically configuring kubernetes authentication directly through Helm.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds opt-in Kubernetes authentication setup via the configureBasicKubernetesAuth Helm value. When enabled, it automatically creates a service account with system:auth-delegator permissions and extracts its token for use with Infisical's Kubernetes authentication.

Major Issues Found:

• CRITICAL: Service account tokens are printed directly to stdout in Job logs (lines 55-61 of job-token-setup.yaml), exposing credentials to anyone with log access. Logs persist indefinitely and may be forwarded to external systems, creating a significant security risk. The token grants cluster-level authentication permissions.
• HIGH: Using bitnami/kubectl:latest without digest pinning introduces supply chain risks
• MEDIUM: Missing documentation for the new feature - users cannot discover the configureBasicKubernetesAuth parameter without reading source code

Recommendations:

1. Store tokens in Kubernetes Secrets instead of logging them, and provide kubectl commands for secure retrieval
2. Pin container image to specific version with digest
3. Document the new parameter in the README with security implications and usage instructions

Confidence Score: 1/5

• This PR contains a critical security vulnerability that exposes service account tokens in logs, making it unsafe to merge without fixes
• Score reflects the critical security issue of logging sensitive authentication tokens to stdout where they persist indefinitely and can be accessed by anyone with log viewing permissions. This token grants cluster-level system:auth-delegator permissions, allowing validation of any service account token in the cluster. Combined with the supply chain risk from unpinned image tags, this represents a significant security concern that must be addressed before merging.
• helm-charts/secrets-operator/templates/kubernetes-auth/job-token-setup.yaml requires immediate attention to remove token logging and pin image version

Important Files Changed

File Analysis

Filename	Score	Overview
helm-charts/secrets-operator/templates/kubernetes-auth/job-token-setup.yaml	1/5	Job that extracts and displays service account tokens - contains CRITICAL security vulnerability: outputs sensitive tokens to logs which persist indefinitely and can be accessed by anyone with log permissions
helm-charts/secrets-operator/templates/NOTES.txt	3/5	Helm installation notes that direct users to view logs containing sensitive tokens - perpetuates the security issue by encouraging token exposure
helm-charts/secrets-operator/values.yaml	4/5	Adds configureBasicKubernetesAuth flag (defaults to false) - missing documentation for this new parameter

[greptile-apps]

_{7 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: CRITICAL SECURITY ISSUE: Printing sensitive service account tokens directly to stdout exposes them in Kubernetes logs, which persist indefinitely and can be accessed by anyone with log viewing permissions.

Attack vector: A malicious actor with kubectl logs access can extract this token and use it to authenticate as the infisical-token-reviewer service account with system:auth-delegator cluster-level permissions. This token could be used to validate other service account tokens across the entire cluster.

Risks:

• Tokens remain in logs even after rotation
• Logs may be forwarded to external logging systems (Splunk, ELK, etc.)
• Audit logs expose credentials
• No expiration control once logged

Safer alternatives:

1. Store token in a Kubernetes Secret and instruct users to retrieve it via kubectl get secret
2. Use a one-time retrieval mechanism
3. Don't echo the token at all - provide instructions for users to extract it themselves when needed
4. Use short-lived tokens with automatic rotation

[greptile-apps]

logic: Using latest tag without digest pinning creates supply chain security risks. A compromised or malicious image pushed to this tag could execute arbitrary code during Helm installation.

Attack vector: If the bitnami/kubectl repository is compromised, attackers could push malicious code that executes with the permissions of the service account during post-install hooks.

Consider pinning to a specific version and digest:

Suggested change

	image: bitnami/kubectl:latest
	image: bitnami/kubectl:1.31.3@sha256:<digest-here>

[greptile-apps]

style: 30 seconds may be too short for slower clusters or during high load. If the token secret takes longer to provision, the job will fail and Helm may hang or report failure even though the resources were created successfully.

Consider increasing to 60-120 seconds to account for cluster variability.

[greptile-apps]

style: The comment states "we keep the job after successful creation so we can view logs afterwards" but this perpetuates the security issue of having sensitive tokens in logs.

Consider using hook-delete-policy: hook-succeeded to clean up the job and its logs after successful completion, reducing the window of token exposure.

[greptile-apps]

style: The new configureBasicKubernetesAuth parameter lacks documentation in the README. Users won't discover this feature without examining source code. Add documentation explaining what it does, when to enable it, security implications, and how to use the generated token.

Context Used: Context from dashboard - When naming sections in documentation, use clear and descriptive titles that reflect the functionali... (source)