synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-31 22:09:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

add helm with postgres + docs

Browse Source
This commit is contained in:
Maidul Islam
2024-02-23 21:20:58 -05:00
parent 2142f5736c
commit 46f0fb7a41
19 changed files with 412 additions and 424 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -63,3 +63,5 @@ yarn-error.log*
.vscode/*
frontend-build
*.tgz

BIN
docs/images/self-hosting/applicable-to-all/selfhost-signup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 MiB

103
docs/mint.json
View File

@ -171,15 +171,7 @@
"pages": [
"self-hosting/deployment-options/standalone-infisical",
"self-hosting/deployment-options/docker-compose",
"self-hosting/deployment-options/kubernetes-helm",
"self-hosting/deployment-options/aws-ec2",
"self-hosting/deployment-options/aws-lightsail",
"self-hosting/deployment-options/gcp-cloud-run",
"self-hosting/deployment-options/azure-app-services",
"self-hosting/deployment-options/azure-container-instances",
"self-hosting/deployment-options/digital-ocean-marketplace",
"self-hosting/deployment-options/fly.io",
"self-hosting/deployment-options/railway"
"self-hosting/deployment-options/kubernetes-helm"
]
},
"self-hosting/configuration/envars",
@ -224,10 +216,6 @@
"infisical-agent/overview"
]
},
{
"group": "Integrations",
"pages": ["integrations/overview"]
},
{
"group": "Infrastructure Integrations",
"pages": [
@ -247,7 +235,7 @@
]
},
{
"group": "3rd-party Integrations",
"group": "Native Integrations",
"pages": [
{
"group": "AWS",
@ -260,39 +248,49 @@
"group": "Digital Ocean",
"pages": ["integrations/cloud/digital-ocean-app-platform"]
},
"integrations/cloud/heroku",
"integrations/cloud/vercel",
"integrations/cloud/netlify",
"integrations/cloud/render",
"integrations/cloud/railway",
"integrations/cloud/flyio",
"integrations/cloud/laravel-forge",
"integrations/cloud/supabase",
"integrations/cloud/northflank",
"integrations/cloud/hasura-cloud",
"integrations/cloud/terraform-cloud",
"integrations/cloud/cloudflare-pages",
"integrations/cloud/cloudflare-workers",
"integrations/cloud/qovery",
"integrations/cloud/hashicorp-vault",
"integrations/cloud/azure-key-vault",
"integrations/cloud/gcp-secret-manager",
"integrations/cloud/cloud-66",
"integrations/cloud/windmill"
{
"group": "View more",
"pages": [
"integrations/cloud/heroku",
"integrations/cloud/netlify",
"integrations/cloud/render",
"integrations/cloud/railway",
"integrations/cloud/flyio",
"integrations/cloud/laravel-forge",
"integrations/cloud/supabase",
"integrations/cloud/northflank",
"integrations/cloud/hasura-cloud",
"integrations/cloud/terraform-cloud",
"integrations/cloud/cloudflare-pages",
"integrations/cloud/cloudflare-workers",
"integrations/cloud/qovery",
"integrations/cloud/hashicorp-vault",
"integrations/cloud/cloud-66",
"integrations/cloud/windmill"
]
}
]
},
{
"group": "CI/CD Integrations",
"pages": [
"integrations/cloud/teamcity",
"integrations/cloud/checkly",
"integrations/cicd/githubactions",
"integrations/cicd/gitlab",
"integrations/cicd/circleci",
"integrations/cicd/travisci",
"integrations/cicd/bitbucket",
"integrations/cicd/codefresh",
"integrations/cicd/jenkins"
{
"group": "View more",
"pages": [
"integrations/cicd/circleci",
"integrations/cicd/travisci",
"integrations/cicd/bitbucket",
"integrations/cicd/codefresh",
"integrations/cicd/jenkins",
"integrations/cloud/checkly"
]
}
]
},
{
@ -302,20 +300,25 @@
"integrations/frameworks/react",
"integrations/frameworks/vue",
"integrations/frameworks/express",
"integrations/frameworks/nextjs",
"integrations/frameworks/nestjs",
"integrations/frameworks/sveltekit",
"integrations/frameworks/nuxt",
"integrations/frameworks/gatsby",
"integrations/frameworks/remix",
"integrations/frameworks/vite",
"integrations/frameworks/fiber",
"integrations/frameworks/django",
"integrations/frameworks/flask",
"integrations/frameworks/laravel",
"integrations/frameworks/rails",
"integrations/frameworks/dotnet",
"integrations/platforms/pm2"
{
"group": "View more",
"pages": [
"integrations/frameworks/nextjs",
"integrations/frameworks/nestjs",
"integrations/frameworks/sveltekit",
"integrations/frameworks/nuxt",
"integrations/frameworks/gatsby",
"integrations/frameworks/remix",
"integrations/frameworks/vite",
"integrations/frameworks/fiber",
"integrations/frameworks/django",
"integrations/frameworks/flask",
"integrations/frameworks/laravel",
"integrations/frameworks/rails",
"integrations/frameworks/dotnet",
"integrations/platforms/pm2"
]
}
]
},
{

4
docs/self-hosting/deployment-options/docker-compose.mdx
View File

@ -78,4 +78,6 @@ Run the command below to start Infisical and all related services.
docker-compose -f docker-compose.prod.yml up
```
Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.
Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.
![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)

318
docs/self-hosting/deployment-options/kubernetes-helm.mdx
View File

@ -1,163 +1,183 @@
---
title: "Kubernetes via Helm Chart"
description: "Use our Helm chart to Install Infisical on your Kubernetes cluster"
description: "Use Helm chart to install Infisical on your Kubernetes cluster"
---
**Prerequisites**
- You have understanding of [Kubernetes](https://kubernetes.io/)
- You have extensive understanding of [Kubernetes](https://kubernetes.io/)
- Installed [Helm package manager](https://helm.sh/) version v3.11.3 or greater
- You have [kubectl](https://kubernetes.io/docs/reference/kubectl/kubectl/) installed and connected to your kubernetes cluster
By deploying Infisical on Kubernetes, you can take advantage of its features to ensure that the application is fault-tolerant, highly available, and scalable.
To make the installation process easier and more streamlined, we have created a Helm chart that you can use to install Infisical on Kubernetes.
Helm is a package manager for Kubernetes that simplifies the installation and management of Kubernetes applications.
With our Helm chart, you can easily install Infisical on Kubernetes, configure it to your liking, and scale it up or down as needed.
## Install Infisical Helm repository
```bash
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
helm repo update
```
## Add Helm values
Create a values.yaml file to configure various installation settings, such as the docker image tags and environment variables. To explore all configurable properties for your values file, [visit this page](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical).
#### Set image tags
By default, the application will use the `latest` docker image tag. This is okay for test environments; however, for production deployments it is important to pin your deployment to a particular docker image tag to prevent receiving unintended changes.
<Tip>
To find the latest version number of Infisical, click [here](https://hub.docker.com/r/infisical/infisical/tags)
</Tip>
```yaml simple-values-example.yaml
backend:
replicaCount: 2
image:
tag: "v0.39.5" # <--- update to the newest version found here https://hub.docker.com/r/infisical/infisical/tags
pullPolicy: Always
```
#### Configure environment variables
You can configure environment variables for your instance of Infisical though the Helm values file under the property `backendEnvironmentVariables`. View configurable [environment variables](../configuration/envars).
Infisical requires the following backend environment variables to be defined: _`ENCRYPTION_KEY`_, _`JWT_SIGNUP_SECRET`_, _`JWT_REFRESH_SECRET`_, _`JWT_AUTH_SECRET`_, _`JWT_MFA_SECRET`_ and _`JWT_SERVICE_SECRET`_.
<Info>
Each of the above environment variables can be generated by running the command `openssl rand -hex 16` in your terminal.
</Info>
However, when the above environment variables are not defined, the Helm chart
will automatically generate these environment variables for you. The generated environment variables will be saved to a Kubernetes secret and will be preserved between upgrades or uninstalls.
```yaml simple-values-example.yaml
...
backendEnvironmentVariables:
HTTPS_ENABLED: true
INVITE_ONLY_SIGNUP: false
...
```
<Info>
Infisical assumes that you have configured HTTPS. If you didn't configure HTTPS, set `HTTPS_ENABLED` to `false` in the backend environment variable to avoid frequent logouts.
</Info>
#### Routing external traffic
By default, Infisical takes all traffic coming to your external load balancer's IP address and routes them Infisical's services.
Infisical uses Nginx to route external traffic. You can install Nginx along with Infisical by setting `ingress.enabled` to `true` in the Helm values file. View all [properties for ingress](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical).
```yaml simple-values-example.yaml
...
ingress:
nginx:
enabled: true #<-- if you would like to install nginx along with Infisical
```
#### Database
Infisical uses a MongoDB as its persistence layer. With this Helm chart, a MongoDB instance is automatically spun up for use with Infisical.
When persistence is enabled, the data will be stored as Kubernetes Persistence Volume. View all [properties for mongodb](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical).
```yaml simple-values-example.yaml
mongodb:
enabled: true
persistence:
enabled: false
```
To achieve high availability and data redundancy, we recommend that you use a managed document database service such as AWS Document DB, MongoDB or similar services instead of the in cluster database.
Managed database connection string can be set in the `backendEnvironmentVariables`.
#### Example helm values
```yaml simple-values-example.yaml
backend:
replicaCount: 2
image:
tag: "v0.39.5"
pullPolicy: Always
backendEnvironmentVariables:
HTTPS_ENABLED: true
ingress:
nginx:
enabled: true
```
<Accordion title="Full helm values example">
```yaml values.yaml
ingress:
nginx:
enabled: true
backend:
enabled: true
name: backend
podAnnotations: {}
deploymentAnnotations: {}
replicaCount: 4
image:
tag: "v0.39.5"
pullPolicy: IfNotPresent
kubeSecretRef: null
service:
annotations: {}
type: ClusterIP
nodePort: ""
# View all environment variables https://infisical.com/docs/self-hosting/configuration/envars
backendEnvironmentVariables:
MONGO_URL: <>
HTTPS_ENABLED: <>
<Steps>
<Step title="Install Infisical Helm repository ">
```bash
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
```
```
helm repo update
```
</Step>
<Step title="Add Helm values">
Create a `values.yaml` file. This will be used to configure settings for the Infisical Helm chart.
To explore all configurable properties for your values file, [visit this page](https://raw.githubusercontent.com/Infisical/infisical/main/helm-charts/infisical-standalone-postgres/values.yaml).
</Step>
<Step title="Select Infisical version">
By default, the Infisical version set in your helm chart will likely be outdated.
Choose the latest Infisical docker image tag from here [here](https://hub.docker.com/r/infisical/infisical/tags).
## Mongo DB persistence
mongodb:
enabled: true
persistence:
enabled: true
```
</Accordion>
```yaml values.yaml
infisical:
image:
repository: infisical/infisical
tag: "v0.46.2-postgres" #<-- update
pullPolicy: IfNotPresent
```
<Warning>
Do you not use the latest docker image tag in production deployments as they can introduce unexpected changes
</Warning>
</Step>
## Install the Helm chart
<Step title="Configure environment variables">
By default, the helm chart will be installed on your default namespace. If you wish to install the Chart on a different namespace, you may specify
that by adding the `--namespace <namespace-to-install-to>` to your `helm install` command.
To deploy this Helm chart, a Kubernetes secret named `infisical-secrets` must be present in the same namespace where the chart is being deployed.
```bash
## Installs to default namespace
helm install infisical-helm-charts/infisical --generate-name --values /path/to/values.yaml
```
For a minimal installation of Infisical, you need to configure `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI`, and `REDIS_URL`. [Learn more about configuration settings](/self-hosting/configuration/envars).
## Access Infisical
Allow 3-5 minutes for the deployment to complete. Once done, you should now be able to access Infisical on the IP address exposed via Ingress on your load balancer. If you are not sure what the IP address is run `kubectl get ingress` to view the external IP address exposing Infisical.
<Info>
Once installation is complete, you will have to create the first account. No default account is provided.
</Info>
## Related blogs
- [Set up Infisical in a development cluster](https://iamunnip.hashnode.dev/infisical-open-source-secretops-kubernetes-setup)
<Tabs>
<Tab title="Proof of concept deployment">
For test or proof-of-concept purposes, you may omit `DB_CONNECTION_URI` and `REDIS_URL` from `infisical-secrets`. This is because the Helm chart will automatically provision and connect to the in-cluster instances of Postgres and Redis by default.
</Tab>
<Tab title="Production deployment">
For production environments, we recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability. In on-premise setups, it's recommended to configure Redis and Postgres for high availability, either by using Bitnami charts or a custom configuration.
</Tab>
</Tabs>
```yaml simple-values-example.yaml
apiVersion: v1
kind: Secret
metadata:
name: infisical-secrets
type: Opaque
stringData:
AUTH_SECRET: <>
ENCRYPTION_KEY: <>
REDIS_URL: <>
DB_CONNECTION_URI: <>
```
</Step>
<Step title="Database schema migration ">
Infisical relies a relational database, which means that database schemas need to be migrated before the instance can become operational.
To automate this process, the chart includes a option named `infisical.autoDatabaseSchemaMigration`.
When this option is enabled, a deployment/upgrade will only occur _after_ a successful schema migration.
<Info>
If you are using in-cluster Postgres, you may notice the migration job failing initially.
This is expected as it is waiting for the database to be in ready state.
</Info>
</Step>
<Step title="Routing traffic to Infisical">
By default, this chart uses Nginx as its Ingress controller to direct traffic to Infisical services.
```yaml values.yaml
ingress:
nginx:
enabled: true
```
</Step>
<Step title="Install the Helm chart ">
Once you are done configuring your `values.yaml` file, run the command below.
```bash
helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
```
<Accordion title="Full helm values example">
```yaml values.yaml
nameOverride: "infisical"
fullnameOverride: "infisical"
infisical:
enabled: true
name: infisical
autoDatabaseSchemaMigration: true
fullnameOverride: ""
podAnnotations: {}
deploymentAnnotations: {}
replicaCount: 6
image:
repository: infisical/infisical
tag: "v0.46.2-postgres"
pullPolicy: IfNotPresent
affinity: {}
kubeSecretRef: "infisical-secrets"
service:
annotations: {}
type: ClusterIP
nodePort: ""
resources:
limits:
memory: 210Mi
requests:
cpu: 200m
ingress:
enabled: true
hostName: ""
ingressClassName: nginx
nginx:
enabled: true
annotations: {}
tls: []
postgresql:
enabled: true
name: "postgresql"
fullnameOverride: "postgresql"
auth:
username: infisical
password: root
database: infisicalDB
redis:
enabled: true
name: "redis"
fullnameOverride: "redis"
cluster:
enabled: false
usePassword: true
auth:
password: "mysecretpassword"
architecture: standalone
```
</Accordion>
</Step>
<Step title="Access Infisical">
After deployment, please wait for 2-5 minutes for all pods to reach a running state. Once a significant number of pods are operational, access the IP address revealed through Ingress by your load balancer.
You can find the IP address/hostname by executing the command `kubectl get ingress`.
![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)
</Step>
<Step title="Upgrade your instance">
To upgrade your instance of Infisical simply update the docker image tag in your Halm values and rerun the command below.
```bash
helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
```
<Tip>
Always back up your database before each upgrade, especially in a production environment
</Tip>
</Step>
</Steps>

10
docs/self-hosting/deployment-options/standalone-infisical.mdx
View File

@ -28,9 +28,11 @@ The following guide provides a detailed step-by-step walkthrough on how you can
</Step>
<Step title="Start Infisical">
For a minimal installation of Infisical, you must configure `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI`, and `REDIS_URL`.
[View all available configurations](/self-hosting/configuration/envars).
For a minimal installation of Infisical, you must configure `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI`, and `REDIS_URL`. [View all available configurations](/self-hosting/configuration/envars).
We recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability.
Once you have added the required environment variables to your docker run command, execute it in your terminal to get Infisical up and running.
For example:
@ -48,7 +50,9 @@ The following guide provides a detailed step-by-step walkthrough on how you can
The above environment variable values are only to be used as an example and should not be used in production
</Warning>
Once the container is running, verify the installation by opening your web browser and navigating to `http://localhost:80`.
Once the container is running, verify the installation by opening your web browser and navigating to `http://localhost:80`.
![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)
</Step>
</Steps>

10
docs/self-hosting/faq.mdx
View File

@ -15,13 +15,3 @@ However, in the event you choose to use Infisical without SSL, you can do so by
[Learn more about secure cookies](https://really-simple-ssl.com/definition/what-are-secure-cookies/)
</Accordion>
<Accordion title="Is self hosted Infisical HA?">
Infisical leverages the robust container orchestration capabilities of Kubernetes and the inherent high availability features of Bitnami MongoDB to ensure resilience and fault tolerance.
By deploying multiple replicas of Infisical application on Kubernetes, operations can continue even if a single instance fails.
Additionally, Bitnami MongoDB supports replica sets, which provide data redundancy and automatic failover for the underlying database.
Kubernetes Services facilitate load balancing, effectively distributing traffic across your application's instances and ensuring optimal performance.
The combination of Kubernetes' self-healing mechanisms and Bitnami MongoDB's failover capabilities work together to create a highly available and fault-tolerant application capable of recovering gracefully from unexpected failures.
To further increase data redundancy, we recommend that you use a managed MongoDB service for your self hosted instance of Infisical.
</Accordion>

56
docs/self-hosting/overview.mdx
View File

@ -14,13 +14,6 @@ Choose from a variety of deployment options listed below to get started.
Use the fully packaged docker image to deploy Infisical anywhere
</Card>
<CardGroup cols={2}>
<Card
title="Digital Ocean"
color="#16a34a"
href="deployment-options/digital-ocean-marketplace"
>
Automatically create and deploy Infisical on to a Kubernetes cluster
</Card>
<Card
title="Docker Compose"
color="#0285c7"
@ -35,53 +28,4 @@ Choose from a variety of deployment options listed below to get started.
>
Use our Helm chart to Install Infisical on your Kubernetes cluster
</Card>
<Card
title="AWS EC2"
color="#0285c7"
href="deployment-options/aws-ec2"
>
Install infisical with just a few clicks using our Cloud Formation template
</Card>
<Card
title="AWS Lightsail"
color="#0285c7"
href="deployment-options/aws-lightsail"
>
Deploy Infisical with AWS Lightsail
</Card>
<Card
title="GCP Cloud Run"
color="#ea5a0c"
href="deployment-options/gcp-cloud-run"
>
Deploy Infisical with GCP Cloud Run
</Card>
<Card
title="Azure App Services"
color="#ea5a0c"
href="deployment-options/azure-app-services"
>
Deploy Infisical with Azure App Services
</Card>
<Card
title="Azure Container Instances"
color="#ea5a0c"
href="deployment-options/azure-container-instances"
>
Deploy Infisical with Azure Container Instances
</Card>
<Card
title="Fly.io"
color="#ea5a0c"
href="deployment-options/fly.io"
>
Deploy Infisical with Fly.io
</Card>
<Card
title="Railway"
color="#ea5a0c"
href="deployment-options/railway"
>
Deploy Infisical with Railway
</Card>
</CardGroup>

4
helm-charts/infisical-standalone-postgres/.gitignore vendored
View File

@ -1,4 +0,0 @@
charts/
node_modules/
package*.json
*.bak

23
helm-charts/infisical-standalone-postgres/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

16
helm-charts/infisical-standalone-postgres/Chart.lock
View File

@ -1,6 +1,12 @@
dependencies:
- name: ingress-nginx
repository: https://kubernetes.github.io/ingress-nginx
version: 4.0.13
digest: sha256:5d15260ba09f284ec40b254d79cd16bb80abd641fe14809a2de19d24c7920221
generated: "2024-01-26T20:15:50.215645-05:00"
- name: ingress-nginx
repository: https://kubernetes.github.io/ingress-nginx
version: 4.0.13
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 14.1.3
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 18.14.0
digest: sha256:296e0ef65914eea70af7e7904188b2efa37089c785305109abc70b7bed42306b
generated: "2024-02-20T01:25:47.224526-05:00"

12
helm-charts/infisical-standalone-postgres/Chart.yaml
View File

@ -7,16 +7,24 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.0.1
version: 1.0.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.0.1"
appVersion: "1.0.0"
dependencies:
- name: ingress-nginx
version: 4.0.13
repository: https://kubernetes.github.io/ingress-nginx
condition: ingress.nginx.enabled
- name: postgresql
version: 14.1.3
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
- name: redis
version: 18.14.0
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled

2
helm-charts/infisical-standalone-postgres/templates/NOTES.txt
View File

@ -20,6 +20,8 @@
│ Current installation (infisical) :
│ • infisical : {{ .Values.infisical.enabled }}
| • nginx : {{ .Values.ingress.nginx.enabled }}
| • Postgres DB : {{ .Values.postgresql.enabled }}
| • Redis : {{ .Values.redis.enabled }}
╰―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤

50
helm-charts/infisical-standalone-postgres/templates/_helpers.tpl
View File

@ -30,7 +30,6 @@ heritage: {{ .Release.Service }}
{{ include "infisical.common.metaLabels" . }}
{{- end -}}
{{- define "infisical.labels" -}}
{{ include "infisical.matchLabels" . }}
{{ include "infisical.common.metaLabels" . }}
@ -57,3 +56,52 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "infisical.postgresService" -}}
{{- if .Values.postgresql.fullnameOverride -}}
{{- .Values.postgresql.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-postgresql" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "infisical.postgresDBConnectionString" -}}
{{- $dbUsername := .Values.postgresql.auth.username -}}
{{- $dbPassword := .Values.postgresql.auth.password -}}
{{- $dbName := .Values.postgresql.auth.database -}}
{{- $serviceName := include "infisical.postgresService" . -}}
{{- printf "postgresql://%s:%s@%s:5432/%s" $dbUsername $dbPassword $serviceName $dbName -}}
{{- end -}}
{{/*
Create a fully qualified redis name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "infisical.redis.fullname" -}}
{{- if .Values.redis.fullnameOverride -}}
{{- .Values.redis.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-%s" .Release.Name .Values.redis.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.redis.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "infisical.redisServiceName" -}}
{{- if .Values.redis.fullnameOverride -}}
{{- printf "%s-master" .Values.redis.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-master" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "infisical.redisConnectionString" -}}
{{- $password := .Values.redis.auth.password -}}
{{- $serviceName := include "infisical.redisServiceName" . -}}
{{- printf "redis://default:%s@%s:6379" $password "redis-master" -}}
{{- end -}}

24
helm-charts/infisical-standalone-postgres/templates/infisical-deployment.yaml → helm-charts/infisical-standalone-postgres/templates/infisical.yaml
View File

@ -28,10 +28,19 @@ spec:
{{- with $infisicalValues.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if $infisicalValues.autoDatabaseSchemaMigration }}
initContainers:
- name: "migration-init"
image: "groundnuty/k8s-wait-for:1.3"
imagePullPolicy: {{ $infisicalValues.image.pullPolicy }}
args:
- "job"
- "{{ .Release.Name }}-schema-migration-{{ .Release.Revision }}"
{{- end }}
containers:
- name: {{ template "infisical.name" . }}-{{ $infisicalValues.name }}
image: "{{ $infisicalValues.image.repository }}:{{ $infisicalValues.image.tag | default "latest" }}"
image: "{{ $infisicalValues.image.repository }}:{{ $infisicalValues.image.tag }}"
imagePullPolicy: {{ $infisicalValues.image.pullPolicy }}
readinessProbe:
httpGet:
@ -41,9 +50,18 @@ spec:
periodSeconds: 5
ports:
- containerPort: 8080
env:
{{- if .Values.postgresql.enabled }}
- name: DB_CONNECTION_URI
value: {{ include "infisical.postgresDBConnectionString" . }}
{{- end }}
{{- if .Values.redis.enabled }}
- name: REDIS_URL
value: {{ include "infisical.redisConnectionString" . }}
{{- end }}
envFrom:
- secretRef:
name: {{ $infisicalValues.kubeSecretRef | default (include "infisical.fullname" .) }}
name: {{ $infisicalValues.kubeSecretRef }}
{{- if $infisicalValues.resources }}
resources: {{- toYaml $infisicalValues.resources | nindent 12 }}
{{- end }}
@ -66,7 +84,7 @@ spec:
ports:
- protocol: TCP
port: 8080
targetPort: 8080 # container port
targetPort: 8080
{{- if eq $infisicalValues.service.type "NodePort" }}
nodePort: {{ $infisicalValues.service.nodePort }}
{{- end }}

50
helm-charts/infisical-standalone-postgres/templates/ingress.yaml
View File

@ -1,50 +0,0 @@
{{ if .Values.ingress.enabled }}
{{- $ingress := .Values.ingress }}
{{- if and $ingress.ingressClassName (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey $ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set $ingress.annotations "kubernetes.io/ingress.class" $ingress.ingressClassName}}
{{- end }}
{{- end }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: infisical-ingress
{{- with $ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and $ingress.ingressClassName (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ $ingress.ingressClassName | default "nginx" }}
{{- end }}
{{- if $ingress.tls }}
tls:
{{- range $ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ include "infisical.fullname" . }}
port:
number: 8080
- path: /ss-webhook
pathType: Exact
backend:
service:
name: {{ include "infisical.fullname" . }}
port:
number: 8080
{{- if $ingress.hostName }}
host: {{ $ingress.hostName }}
{{- end }}
{{ end }}

20
helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: k8s-wait-for-infisical-schema-migration
rules:
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default
subjects:
- kind: ServiceAccount
name: {{ .Release.Namespace }}
roleRef:
kind: Role
name: k8s-wait-for-infisical-schema-migration
apiGroup: rbac.authorization.k8s.io

32
helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- $infisicalValues := .Values.infisical }}
{{- if $infisicalValues.autoDatabaseSchemaMigration }}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-schema-migration-{{ .Release.Revision }}"
labels:
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
backoffLimit: 10
template:
metadata:
name: "{{ .Release.Name }}-create-tables"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
restartPolicy: OnFailure
containers:
- name: infisical-schema-migration
image: "{{ $infisicalValues.image.repository }}:{{ $infisicalValues.image.tag }}"
command: ["npm", "run", "migration:latest"]
env:
{{- if .Values.postgresql.enabled }}
- name: DB_CONNECTION_URI
value: {{ include "infisical.postgresDBConnectionString" . }}
{{- end }}
envFrom:
- secretRef:
name: {{ $infisicalValues.kubeSecretRef }}
{{- end }}

100
helm-charts/infisical-standalone-postgres/values.yaml
View File

@ -1,96 +1,62 @@
## @section Common parameters
##
## @param nameOverride Override release name
##
nameOverride: ""
## @param fullnameOverride Override release fullname
##
fullnameOverride: ""
## @section Infisical backend parameters
## Documentation : https://infisical.com/docs/self-hosting/deployments/kubernetes
##
infisical:
## @param backend.enabled Enable backend
##
enabled: true
## @param backend.name Backend name
##
name: infisical
## @param backend.fullnameOverride Backend fullnameOverride
##
autoDatabaseSchemaMigration: true
fullnameOverride: ""
## @param backend.podAnnotations Backend pod annotations
##
podAnnotations: {}
## @param backend.deploymentAnnotations Backend deployment annotations
##
deploymentAnnotations: {}
## @param backend.replicaCount Backend replica count
##
replicaCount: 2
## Backend image parameters
##
image:
## @param backend.image.repository Backend image repository
##
repository: akhilmhdh/destruction
## @param backend.image.tag Backend image tag
##
tag: "latest"
## @param backend.image.pullPolicy Backend image pullPolicy
##
repository: infisical/infisical
tag: "v0.46.3-postgres"
pullPolicy: IfNotPresent
## @param backend.affinity Backend pod affinity
##
affinity: {}
## @param backend.kubeSecretRef Backend secret resource reference name (containing required [backend configuration variables](https://infisical.com/docs/self-hosting/configuration/envars))
##
kubeSecretRef: ""
## Backend service
##
kubeSecretRef: "infisical-secrets"
service:
## @param backend.service.annotations Backend service annotations
##
annotations: {}
## @param backend.service.type Backend service type
##
type: ClusterIP
## @param backend.service.nodePort Backend service nodePort (used if above type is `NodePort`)
##
nodePort: ""
## @section Ingress parameters
##
resources:
limits:
memory: 210Mi
requests:
cpu: 200m
ingress:
## @param ingress.enabled Enable ingress
##
enabled: true
## @param ingress.ingressClassName Ingress class name
##
hostName: ""
ingressClassName: nginx
## @param ingress.nginx.enabled Ingress controller
##
nginx:
enabled: true
## @param ingress.annotations Ingress annotations
##
annotations:
{}
# kubernetes.io/ingress.class: "nginx"
# cert-manager.io/issuer: letsencrypt-nginx
## @param ingress.hostName Ingress hostname (your custom domain name, e.g. `infisical.example.org`)
## Replace with your own domain
##
hostName: ""
## @param ingress.tls Ingress TLS hosts (matching above hostName)
## Replace with your own domain
##
annotations: {}
tls:
[]
# - secretName: letsencrypt-prod
# hosts:
# - some.domain.com
postgresql:
enabled: true
name: "postgresql"
fullnameOverride: "postgresql"
auth:
username: infisical
password: root
database: infisicalDB
redis:
enabled: true
name: "redis"
fullnameOverride: "redis"
cluster:
enabled: false
usePassword: true
auth:
password: "mysecretpassword"
architecture: standalone