Infisical · varonix0 · Nov 29, 2025 · greptile-apps · Nov 29, 2025 · greptile-apps
diff --git a/helm-charts/secrets-operator/templates/NOTES.txt b/helm-charts/secrets-operator/templates/NOTES.txt
@@ -0,0 +1,15 @@
+{{- if .Values.configureBasicKubernetesAuth }}
+{{- $namespace := .Release.Namespace }}
+==========================================
+Installation complete.
+==========================================
+
+To view the reviewer token, CA certificate, and Kubernetes host, run:
+
+kubectl logs -n {{ $namespace }} -l app.kubernetes.io/component=token-setup --tail=100
+
+==========================================
+{{- else }}
+Installation complete.
+{{- end }}
+
diff --git a/...-charts/secrets-operator/templates/kubernetes-auth/clusterrolebinding-token-reviewer.yaml b/...-charts/secrets-operator/templates/kubernetes-auth/clusterrolebinding-token-reviewer.yaml
@@ -0,0 +1,15 @@
+{{ if .Values.configureBasicKubernetesAuth }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: infisical-token-reviewer-role-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: infisical-token-reviewer
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm-charts/secrets-operator/templates/kubernetes-auth/job-token-setup.yaml b/helm-charts/secrets-operator/templates/kubernetes-auth/job-token-setup.yaml
@@ -0,0 +1,88 @@
+{{- if .Values.configureBasicKubernetesAuth }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "secrets-operator.fullname" . }}-token-setup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation # we keep the job after successful creation so we can view logs afterwards
+  labels:
+    {{- include "secrets-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-setup
+spec:
+  activeDeadlineSeconds: 30  # Timeout after 30 seconds to prevent Helm from hanging
+  backoffLimit: 0  # Don't retry the Job if it fails
+  template:
+    metadata:
+      labels:
+        {{- include "secrets-operator.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: token-setup
+    spec:
+      serviceAccountName: {{ include "secrets-operator.serviceAccountName" . }}
+      restartPolicy: Never
+      containers:
+      - name: token-setup
+        image: bitnami/kubectl:latest
-        image: bitnami/kubectl:latest
+        image: bitnami/kubectl:1.31.3@sha256:<digest-here>
-        image: bitnami/kubectl:latest
+        image: bitnami/kubectl:1.31.3@sha256:<digest-here>
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+          echo "Patching service account infisical-token-reviewer..."
+          kubectl patch serviceaccount infisical-token-reviewer \
+            -p '{"secrets": [{"name": "infisical-token-reviewer-token"}]}' \
+            -n {{ .Release.Namespace }} || echo "Note: Service account may already be patched"
+
+          echo "Waiting for token secret to be available..."
+          MAX_RETRIES=15
+          RETRY_COUNT=0
+
+          while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+            if kubectl get secret infisical-token-reviewer-token -n {{ .Release.Namespace }} &>/dev/null; then
+              TOKEN=$(kubectl get secret infisical-token-reviewer-token -n {{ .Release.Namespace }} -o=jsonpath='{.data.token}' 2>/dev/null | base64 -d 2>/dev/null || echo "")
+              if [ -n "$TOKEN" ] && [ "$TOKEN" != "null" ]; then
+                # Get CA certificate from the secret
+                CA_CERT=$(kubectl get secret infisical-token-reviewer-token -n {{ .Release.Namespace }} -o=jsonpath='{.data.ca\.crt}' 2>/dev/null | base64 -d 2>/dev/null || echo "")
+
+                echo ""
+                echo "=========================================="
+                echo "Installation complete."
+                echo ""
+                echo "Reviewer token:"
+                echo ""
+                echo "$TOKEN"
+                echo ""
+                echo ""
+                if [ -n "$CA_CERT" ]; then
+                  echo "CA certificate:"
+                  echo ""
+                  echo "$CA_CERT"
+                else
+                  echo "CA certificate: (not available in secret)"
+                  echo ""
+                fi
+                echo ""
+                echo "Kubernetes host:"
+                echo ""
+                echo "Unable to determine Kubernetes host. You can find your Kubernetes host by running 'kubectl cluster-info'."
+                echo "Ensure that the Kubernetes host is accessible by Infisical. If this is a private cluster, you may need to configure the Infisical Gateway to allow access to the Kubernetes host from Infisical."
+                echo ""
+                echo ""
+                echo "=========================================="
+                exit 0
+              fi
+            fi
+            RETRY_COUNT=$((RETRY_COUNT + 1))
+            echo "  Attempt $RETRY_COUNT/$MAX_RETRIES: Token not ready yet, waiting..."
+            sleep 1
+          done
+
+          echo ""
+          echo "Warning: Token not available after $MAX_RETRIES attempts."
+          echo "Please check the secret manually with:"
+          echo "  kubectl get secret infisical-token-reviewer-token -n {{ .Release.Namespace }} -o=jsonpath='{.data.token}' | base64 --decode && echo"
+          exit 1
+{{- end }}
+
diff --git a/helm-charts/secrets-operator/templates/kubernetes-auth/rbac-token-setup.yaml b/helm-charts/secrets-operator/templates/kubernetes-auth/rbac-token-setup.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.configureBasicKubernetesAuth }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "secrets-operator.fullname" . }}-token-setup-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secrets-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-setup
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "secrets-operator.fullname" . }}-token-setup-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secrets-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-setup
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "secrets-operator.fullname" . }}-token-setup-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "secrets-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+
diff --git a/...crets-operator/templates/kubernetes-auth/secret-service-account-token-reviewer-token.yaml b/...crets-operator/templates/kubernetes-auth/secret-service-account-token-reviewer-token.yaml
@@ -0,0 +1,10 @@
+{{ if .Values.configureBasicKubernetesAuth }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: infisical-token-reviewer-token
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/service-account.name: infisical-token-reviewer
+{{- end }}
diff --git a/helm-charts/secrets-operator/templates/kubernetes-auth/service-account-token-reviewer.yaml b/helm-charts/secrets-operator/templates/kubernetes-auth/service-account-token-reviewer.yaml
@@ -0,0 +1,7 @@
+{{ if .Values.configureBasicKubernetesAuth }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: infisical-token-reviewer
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm-charts/secrets-operator/values.yaml b/helm-charts/secrets-operator/values.yaml
@@ -40,4 +40,5 @@ kubernetesClusterDomain: cluster.local
 scopedNamespace: ""
 scopedRBAC: false
 installCRDs: true
+configureBasicKubernetesAuth: false
 imagePullSecrets: []