synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-29 22:02:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin' into service-account

Browse Source
This commit is contained in:
Tuan Dang
2023-04-04 11:08:57 +03:00
parent 35d345f17e cca9476975
commit a3b2d1c838
15 changed files with 429 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/pull_request_template.md vendored
View File

@ -1,6 +1,6 @@
# Description 📣
*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
## Type ✨
@ -11,7 +11,7 @@
# Tests 🛠️
*Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible*
<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
```sh
# Here's some code block to paste some code snippets

111
docs/self-hosting/overview.mdx
View File

@ -35,101 +35,7 @@ Self-hosted Infisical allows you to maintain your sensitive information within y
- You have [kubectl](https://kubernetes.io/docs/reference/kubectl/kubectl/) installed and connected to your kubernetes cluster
#### 1. Fill our environment variables
Before you can deploy the Helm chart, you must fill out the required environment variables. To do so, please copy the below file to a `.yaml` file.
Refer to the available [environment variables](/self-hosting/configuration/envars) to learn more
<Accordion title="values.yaml">
[View all available Helm chart values parameters](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical)
```yaml
frontend:
enabled: true
name: frontend
podAnnotations: {}
deploymentAnnotations: {}
replicaCount: 2
image:
repository: infisical/frontend
tag: "latest"
pullPolicy: IfNotPresent
kubeSecretRef: ""
service:
annotations: {}
type: ClusterIP
nodePort: ""
frontendEnvironmentVariables:
SITE_URL: infisical.local
backend:
enabled: true
name: backend
podAnnotations: {}
deploymentAnnotations: {}
replicaCount: 2
image:
repository: infisical/backend
tag: "latest"
pullPolicy: IfNotPresent
kubeSecretRef: ""
service:
annotations: {}
type: ClusterIP
nodePort: ""
backendEnvironmentVariables:
ENCRYPTION_KEY: MUST_REPLACE
JWT_SIGNUP_SECRET: MUST_REPLACE
JWT_REFRESH_SECRET: MUST_REPLACE
JWT_AUTH_SECRET: MUST_REPLACE
JWT_SERVICE_SECRET: MUST_REPLACE
SMTP_HOST: MUST_REPLACE
SMTP_PORT: 587
SMTP_SECURE: false
SMTP_FROM_NAME: Infisical
SMTP_FROM_ADDRESS: MUST_REPLACE
SMTP_USERNAME: MUST_REPLACE
SMTP_PASSWORD: MUST_REPLACE
SITE_URL: infisical.local
## Mongo DB persistence
mongodb:
enabled: true
## By default the backend will be connected to a Mongo instance within the cluster
## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
mongodbConnection:
externalMongoDBConnectionString: ""
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
# cert-manager.io/issuer: letsencrypt-nginx
hostName: infisical.local ## <- Replace with your own domain
frontend:
path: /
pathType: Prefix
backend:
path: /api
pathType: Prefix
tls: []
# - secretName: letsencrypt-nginx
# hosts:
# - infisical.local
mailhog:
enabled: false
```
</Accordion>
Once you have a local copy of the values file, fill our the required environment variables and save the file.
#### 2. Install Infisical Helm repository
#### 1. Install Infisical Helm repository
```bash
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
@ -137,23 +43,22 @@ Self-hosted Infisical allows you to maintain your sensitive information within y
helm repo update
```
#### 3. Install the Helm chart
#### 2. Install the Helm chart
By default, the helm chart will be installed on your default namespace. If you wish to install the Chart on a different namespace, you may specify
that by adding the `--namespace <namespace-to-install-to>` to your `helm install` command.
```bash
## Installs to default namespace
helm install infisical-helm-charts/infisical --generate-name --values <path to the values.yaml you downloaded/created in step 2>
helm install infisical-helm-charts/infisical --generate-name
```
<Note>
If you have not filled out all of the required environment variables, you will see an error message prompting you to
do so.
</Note>
#### 4. Your Infisical installation is complete and should be running on the host name you specified in Ingress in `values.yaml`.
#### 3. Access Infisical
Allow 3-5 minutes for the deployment to complete. Once done, you should now be able to access Infisical on the IP address exposed via Ingress on your load balancer. If you are not sure what the IP address is run `kubectl get ingress` to view the external IP address exposing Infisical.
#### Custom configuration
To configure environment variables, database and deployments, you'll need to set the parameters in a `values.yaml` file. To view all available parameters [visit here](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical#parameters)
</Tab>
<Tab title="Bare Docker Compose">
1. Install Docker on your VM

2
helm-charts/README.md
View File

@ -36,4 +36,4 @@ Steps to update the documentation :
1. `npm install ./readme-generator-for-helm`
1. `npm exec readme-generator -- --readme README.md --values values.yaml`
- It'll insert the table below the `## Parameters` title
- It'll output errors if some of the path aren't documented
- It'll output errors if some of the path aren't documented

3
helm-charts/infisical/.gitignore vendored
View File

@ -1,3 +1,4 @@
charts/
node_modules/
package*.json
package*.json
*.bak

6
helm-charts/infisical/Chart.lock
View File

@ -1,9 +1,9 @@
dependencies:
- name: mongodb
repository: https://charts.bitnami.com/bitnami
version: 13.6.7
version: 13.9.1
- name: mailhog
repository: https://codecentric.github.io/helm-charts
version: 5.2.3
digest: sha256:a54ae9ee60775f6f1aa916b59aee55b3ed5234b6bd88185fcb118b7f69539d70
generated: "2023-02-13T14:13:27.525541038+01:00"
digest: sha256:1ddb3ffef899859222b72547657f57ea303e768d67886a4a57edcb0f773ea83f
generated: "2023-03-14T12:58:34.387144895+01:00"

4
helm-charts/infisical/Chart.yaml
View File

@ -7,7 +7,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.15
version: 0.1.16
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
@ -17,7 +17,7 @@ appVersion: "1.17.0"
dependencies:
- name: mongodb
version: "~13.6.7"
version: "~13.9.1"
repository: "https://charts.bitnami.com/bitnami"
condition: mongodb.enabled
- name: mailhog

198
helm-charts/infisical/README.md
View File

@ -6,7 +6,7 @@ This is the Infisical application Helm chart. This chart includes the following
| ---------- | ----------------------------------- |
| `frontend` | Infisical's Web UI |
| `backend` | Infisical's API |
| `mongodb` | Infisical's local database |
| `mongodb` | Infisical's database |
| `mailhog` | Infisical's development SMTP server |
## Installation
@ -36,6 +36,19 @@ helm upgrade --install --atomic \
infisical infisical/infisical
```
### Backup up encryption keys
If you did not explicitly set required environment variables, this helm chart will auto-generated them by default. It's recommended to save these credentials somewhere safe. Run the following command in your cluster where Infisical chart is installed.
This command requires [`jq`](https://stedolan.github.io/jq/download/)
```sh
# export secrets to a given file (requires jq)
kubectl get secrets -n <namespace> <secret-name> \
-o json | jq '.data | map_values(@base64d)' > \
<dest-filename>.bak
```
## Parameters
### Common parameters
@ -68,34 +81,37 @@ helm upgrade --install --atomic \
### Infisical backend parameters
| Name | Description | Value |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- |
| `backend.enabled` | Enable backend | `true` |
| `backend.name` | Backend name | `backend` |
| `backend.fullnameOverride` | Backend fullnameOverride | `""` |
| `backend.podAnnotations` | Backend pod annotations | `{}` |
| `backend.deploymentAnnotations` | Backend deployment annotations | `{}` |
| `backend.replicaCount` | Backend replica count | `2` |
| `backend.image.repository` | Backend image repository | `infisical/backend` |
| `backend.image.tag` | Backend image tag | `latest` |
| `backend.image.pullPolicy` | Backend image pullPolicy | `IfNotPresent` |
| `backend.kubeSecretRef` | Backend secret resource reference name (containing required [backend configuration variables](https://infisical.com/docs/self-hosting/configuration/envars)) | `""` |
| `backend.service.annotations` | Backend service annotations | `{}` |
| `backend.service.type` | Backend service type | `ClusterIP` |
| `backend.service.nodePort` | Backend service nodePort (used if above type is `NodePort`) | `""` |
| `backendEnvironmentVariables.ENCRYPTION_KEY` | **Required** Backend encryption key (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057)) | `MUST_REPLACE` |
| `backendEnvironmentVariables.JWT_SIGNUP_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057)) | `MUST_REPLACE` |
| `backendEnvironmentVariables.JWT_REFRESH_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057)) | `MUST_REPLACE` |
| `backendEnvironmentVariables.JWT_AUTH_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057)) | `MUST_REPLACE` |
| `backendEnvironmentVariables.JWT_SERVICE_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057)) | `MUST_REPLACE` |
| `backendEnvironmentVariables.SMTP_HOST` | **Required** Hostname to connect to for establishing SMTP connections | `MUST_REPLACE` |
| `backendEnvironmentVariables.SMTP_PORT` | Port to connect to for establishing SMTP connections | `587` |
| `backendEnvironmentVariables.SMTP_SECURE` | If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported | `false` |
| `backendEnvironmentVariables.SMTP_FROM_NAME` | Name label to be used in From field (e.g. Infisical) | `Infisical` |
| `backendEnvironmentVariables.SMTP_FROM_ADDRESS` | **Required** Email address to be used for sending emails (e.g. dev@infisical.com) | `MUST_REPLACE` |
| `backendEnvironmentVariables.SMTP_USERNAME` | **Required** Credential to connect to host (e.g. team@infisical.com) | `MUST_REPLACE` |
| `backendEnvironmentVariables.SMTP_PASSWORD` | **Required** Credential to connect to host | `MUST_REPLACE` |
| `backendEnvironmentVariables.SITE_URL` | Absolute URL including the protocol (e.g. https://app.infisical.com) | `infisical.local` |
| Name | Description | Value |
| ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `backend.enabled` | Enable backend | `true` |
| `backend.name` | Backend name | `backend` |
| `backend.fullnameOverride` | Backend fullnameOverride | `""` |
| `backend.podAnnotations` | Backend pod annotations | `{}` |
| `backend.deploymentAnnotations` | Backend deployment annotations | `{}` |
| `backend.replicaCount` | Backend replica count | `2` |
| `backend.image.repository` | Backend image repository | `infisical/backend` |
| `backend.image.tag` | Backend image tag | `latest` |
| `backend.image.pullPolicy` | Backend image pullPolicy | `IfNotPresent` |
| `backend.kubeSecretRef` | Backend secret resource reference name (containing required [backend configuration variables](https://infisical.com/docs/self-hosting/configuration/envars)) | `""` |
| `backend.service.annotations` | Backend service annotations | `{}` |
| `backend.service.type` | Backend service type | `ClusterIP` |
| `backend.service.nodePort` | Backend service nodePort (used if above type is `NodePort`) | `""` |
| `backendEnvironmentVariables.ENCRYPTION_KEY` | **Required** Backend encryption key (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret) | `""` |
| `backendEnvironmentVariables.JWT_SIGNUP_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret) | `""` |
| `backendEnvironmentVariables.JWT_REFRESH_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret) | `""` |
| `backendEnvironmentVariables.JWT_AUTH_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret) | `""` |
| `backendEnvironmentVariables.JWT_SERVICE_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret) | `""` |
| `backendEnvironmentVariables.JWT_MFA_SECRET` | **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret) | `""` |
| `backendEnvironmentVariables.SMTP_HOST` | **Required** Hostname to connect to for establishing SMTP connections | `""` |
| `backendEnvironmentVariables.SMTP_PORT` | Port to connect to for establishing SMTP connections | `587` |
| `backendEnvironmentVariables.SMTP_SECURE` | If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported | `false` |
| `backendEnvironmentVariables.SMTP_FROM_NAME` | Name label to be used in From field (e.g. Infisical) | `Infisical` |
| `backendEnvironmentVariables.SMTP_FROM_ADDRESS` | **Required** Email address to be used for sending emails (e.g. dev@infisical.com) | `""` |
| `backendEnvironmentVariables.SMTP_USERNAME` | **Required** Credential to connect to host (e.g. team@infisical.com) | `""` |
| `backendEnvironmentVariables.SMTP_PASSWORD` | **Required** Credential to connect to host | `""` |
| `backendEnvironmentVariables.SITE_URL` | Absolute URL including the protocol (e.g. https://app.infisical.com) | `infisical.local` |
| `backendEnvironmentVariables.INVITE_ONLY_SIGNUP` | To disable account creation from the login page (invites only) | `false` |
| `backendEnvironmentVariables.MONGO_URL` | MongoDB connection string (external or internal)</br>Leave it empty for auto-generated connection string | `""` |
### MongoDB(&reg;) parameters
@ -112,26 +128,42 @@ helm upgrade --install --atomic \
| `mongodb.image.repository` | MongoDB(&reg;) image registry | `bitnami/mongodb` |
| `mongodb.image.tag` | MongoDB(&reg;) image tag (immutable tags are recommended) | `6.0.4-debian-11-r0` |
| `mongodb.image.pullPolicy` | MongoDB(&reg;) image pull policy | `IfNotPresent` |
| `mongodb.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `mongodb.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `mongodb.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` |
| `mongodb.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` |
| `mongodb.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `mongodb.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `mongodb.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `mongodb.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `mongodb.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `mongodb.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` |
| `mongodb.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `mongodb.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `mongodb.service.annotations` | Service annotations | `{}` |
| `mongodb.auth.enabled` | Enable custom authentication | `true` |
| `mongodb.auth.usernames` | Custom usernames list ([special characters warning](https://www.mongodb.com/docs/manual/reference/connection-string/#standard-connection-string-format)) | `["infisical"]` |
| `mongodb.auth.passwords` | Custom passwords list, match the above usernames order ([special characters warning](https://www.mongodb.com/docs/manual/reference/connection-string/#standard-connection-string-format)) | `["infisical"]` |
| `mongodb.auth.databases` | Custom databases list ([special characters warning](https://www.mongodb.com/docs/manual/reference/connection-string/#standard-connection-string-format)) | `["infisical"]` |
| `mongodb.auth.rootUser` | Database root user name | `root` |
| `mongodb.auth.rootPassword` | Database root user password | `root` |
| `mongodb.persistence.enabled` | Enable database persistence | `true` |
| `mongodb.persistence.existingClaim` | Existing persistent volume claim name | `""` |
| `mongodb.persistence.resourcePolicy` | Keep the persistent volume even on deletion (`keep` or `""`) | `keep` |
| `mongodb.persistence.accessModes` | Persistent volume access modes | `["ReadWriteOnce"]` |
| `mongodb.persistence.size` | Persistent storage request size | `8Gi` |
| `mongodbConnection.externalMongoDBConnectionString` | External MongoDB connection string | `""` |
| `mongodbConnection.externalMongoDBConnectionString` | Deprecated :warning: External MongoDB connection string</br>Use backendEnvironmentVariables.MONGO_URL instead | `""` |
### Ingress parameters
| Name | Description | Value |
| ------------------ | ------------------------------------------- | ----------------- |
| `ingress.enabled` | Enable ingress | `true` |
| `ingress.hostName` | Ingress hostname (your custom domain name) | `infisical.local` |
| `ingress.tls` | Ingress TLS hosts (matching above hostName) | `[]` |
| Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------------ | ------- |
| `ingress.enabled` | Enable ingress | `true` |
| `ingress.ingressClassName` | Ingress class name | `nginx` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.hostName` | Ingress hostname (your custom domain name, e.g. `infisical.example.org`) | `""` |
| `ingress.tls` | Ingress TLS hosts (matching above hostName) | `[]` |
### Mailhog parameters
@ -152,7 +184,7 @@ helm upgrade --install --atomic \
| `mailhog.ingress.labels` | Ingress labels | `{}` |
| `mailhog.ingress.hosts[0].host` | Mailhog host | `mailhog.infisical.local` |
Learn more in our [docs](https://infisical.com/docs/self-hosting/deployments/kubernetes)
## Persistence
@ -185,32 +217,37 @@ Below example will deploy the following :
- The corresponding IP will depend on the tool or the way you're exposing the services ([learn more](https://minikube.sigs.k8s.io/docs/handbook/host-access/))
- [**mailhog.infisical.local**](https://mailhog.infisical.local)
- Local SMTP server used to receive the signup verification code
- Local SMTP server used to receive the emails (e.g. signup verification code)
- You may have to add `mailhog.infisical.local` to your `/etc/hosts` or similar depending your OS
- The corresponding IP will depend on the tool or the way you're exposing the services ([learn more](https://minikube.sigs.k8s.io/docs/handbook/host-access/))
Use below values to setup a local development environment, adapt those variables as you need
#### TL;DR
If you're running a k8s cluster with `ingress-nginx`, you can run one of the below scripts :
```sh
# With 'kind' + 'helm', to create a local cluster and deploy the chart
./examples.local-kind.sh
# With 'helm' only, if you already have a cluster to deploy the chart
./examples.local-helm.sh
```
#### Instructions
Here's the step-by-step instructions to setup your local development environment. First create the below file :
```yaml
# values.dev.yaml
# Enable all services for local development
frontend:
enabled: true
backend:
enabled: true
mongodb:
enabled: true
# Enable mailhog for local development
mailhog:
enabled: true
# Configure backend development variables (required)
backendEnvironmentVariables:
ENCRYPTION_KEY: 6c1fe4e407b8911c104518103505b218
JWT_AUTH_SECRET: 4be6ba5602e0fa0ac6ac05c3cd4d247f
JWT_REFRESH_SECRET: 5f2f3c8f0159068dc2bbb3a652a716ff
JWT_SERVICE_SECRET: f32f716d70a42c5703f4656015e76200
JWT_SIGNUP_SECRET: 3679e04ca949f914c03332aaaeba805a
SITE_URL: https://infisical.local
SMTP_FROM_ADDRESS: dev@infisical.local
SMTP_FROM_NAME: Local Infisical
@ -240,6 +277,65 @@ helm upgrade --install --atomic \
## Upgrading
### 1.15.0
Find the chart upgrade instructions below. When upgrading from your version to one of the listed below, please follow every instructions in between.
Refactoring in progress, instructions are coming soon
Here's a snippet to upgrade your installation manually :
```sh
# replace below '<placeholders>' with your own values
helm upgrade --install --atomic \
-n "<your-namesapce>" --create-namespace \
-f "<your-values.yaml>" \
<your-release-name> .
```
Since we provide references to the k8s secret resources within the pods, their manifest file doesnt change and though doesnt reload (no changes detected). When upgrading your secrets, you'll have to do it through Helm (a timestamp field will be updated and your pods restarted)
### 0.1.16
- Auto-generation for the following variables, to ease your future upgrades or setups :
- `ENCRYPTION_KEY`
- `JWT_SIGNUP_SECRET`
- `JWT_REFRESH_SECRET`
- `JWT_AUTH_SECRET`
- `JWT_SERVICE_SECRET`
- `JWT_MFA_SECRET`
We've migrated the applications' environment variables into `secrets` resources, shared within the deployments through `envFrom`. If you upgrade your installation make sure to backup your deployments' environment variables (e.g. encryption key and jwt secrets).
The preference order is :
- **user-defined** (values file or inline)
- **existing-secret** (for existing installations, you don't have to specify the secrets when upgrading if they already exist)
- **auto-generated** (if none of the values above have been found, we'll auto-generate a value for the user, only for the above mentioned variables)
#### Instructions
1. Make sure **you have all the required environment variables** defined in the value file (or inline `--set`) you'll provide to `helm`
1. e.g. All the above mentioned variables
1. **Backup your existing secrets** (safety precaution)
1. with below [snippets](#snippets)
1. **Upgrade the chart**, with the [instructions](#upgrading)
1. It'll create a secret per service, and store the secrets/conf within (auto-generate if you don't provide the required ones)
1. It'll link the secret to the deployment through `envFrom`
1. It'll automatically remove the hard-coded `env.*` variables from your infisical deployments
1. Make sure that the **created secrets match the ones in your backups**
1. e.g. `kubectl get secret -n <namespace> <release-name>-backend --template={{.data.ENCRYPTION_KEY}} | base64 -d`
1. You're all set!
#### Snippets
Here's some snippets to backup your current secrets **before the upgrade** (:warning: it requires [`jq`](https://stedolan.github.io/jq/download/)) :
```sh
# replace the below variables with yours (namespace + app)
namespace=infisical; app=infisical; components="frontend backend"
for component in $components; do
dpl=$(kubectl get deployment -n $namespace -l app=$app -l component=$component \
-o jsonpath="{.items[0].metadata.name}")
kubectl get deployments -n $namespace $dpl \
-o jsonpath='{.spec.template.spec.containers[0].env[*]}' | \
jq -r '.name + ":" + .value' > infisical-$component-conf.bak
done
```

37
helm-charts/infisical/examples/local-helm.sh Executable file
View File

@ -0,0 +1,37 @@
#!/usr/bin/env bash
## Infisical local k8s development environment setup script
## using 'helm' and assume you already have a cluster and an ingress (nginx)
##
##
## DEVELOPMENT USE ONLY
## DO NOT USE IN PRODUCTION
##
# define variables
cluster_name=infisical
host=infisical.local
# install infisical (local development)
helm dep update
cat <<EOF | helm upgrade --install --atomic \
-n infisical-dev --create-namespace \
-f - \
infisical-dev .
mailhog:
enabled: true
backendEnvironmentVariables:
SITE_URL: https://$host
SMTP_FROM_ADDRESS: dev@$host
SMTP_FROM_NAME: Local Infisical
SMTP_HOST: mailhog
SMTP_PASSWORD: ""
SMTP_PORT: 1025
SMTP_SECURE: false
SMTP_USERNAME: dev@$host
frontendEnvironmentVariables:
SITE_URL: https://$host
ingress:
hostName: $host
EOF

13
helm-charts/infisical/examples/kind.sh → helm-charts/infisical/examples/local-kind.sh
View File

@ -56,20 +56,9 @@ cat <<EOF | helm upgrade --install --atomic \
-n infisical-dev --create-namespace \
-f - \
infisical-dev .
frontend:
enabled: true
backend:
enabled: true
mongodb:
enabled: true
mailhog:
enabled: true
backendEnvironmentVariables:
ENCRYPTION_KEY: $(openssl rand -hex 16)
JWT_AUTH_SECRET: $(openssl rand -hex 16)
JWT_REFRESH_SECRET: $(openssl rand -hex 16)
JWT_SERVICE_SECRET: $(openssl rand -hex 16)
JWT_SIGNUP_SECRET: $(openssl rand -hex 16)
SITE_URL: https://$host
SMTP_FROM_ADDRESS: dev@$host
SMTP_FROM_NAME: Local Infisical
@ -80,4 +69,6 @@ backendEnvironmentVariables:
SMTP_USERNAME: dev@$host
frontendEnvironmentVariables:
SITE_URL: https://$host
ingress:
hostName: $host
EOF

50
helm-charts/infisical/templates/NOTES.txt
View File

@ -53,28 +53,32 @@
╰―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤
―― Here's a list of helpfull commands to get you started 📝 ―――――――――――――――――――――――――――――――――――――――――┤
→ Get all the Infisical resources (excluding secrets/pvcs)
$ kubectl get all -n {{ .Release.Namespace }}
→ Get your release status
$ helm status {{ .Release.Namespace }} {{ .Release.Name }}
→ Get your release resources
$ helm get all {{ .Release.Namespace }} {{ .Release.Name }}
→ Uninstall your release
$ helm uninstall {{ .Release.Namespace }} {{ .Release.Name }}
→ Get MongoDB root password
$ kubectl get secret {{ .Release.Namespace }} mongodb
-o jsonpath="{.data['mongodb-root-password']}" | base64 -d
→ Get MongoDB users passwords
$ kubectl get secret {{ .Release.Namespace }} mongodb
-o jsonpath="{.data['mongodb-passwords']}" | base64 -d
╰―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤
―― Here's a list of helpful commands to get you started 📝 ―――――――――――――――――――――――――――――――――――――――――┤
→ Get all the Infisical resources (excluding secrets/pvcs)
$ kubectl get all -n {{ .Release.Namespace }}
→ Get your release status
$ helm status {{ .Release.Namespace }} {{ .Release.Name }}
→ Get your release resources
$ helm get all {{ .Release.Namespace }} {{ .Release.Name }}
→ Uninstall your release
$ helm uninstall {{ .Release.Namespace }} {{ .Release.Name }}
→ Get MongoDB root password
$ kubectl get secret -n {{ .Release.Namespace }} mongodb
-o jsonpath="{.data['mongodb-root-password']}" | base64 -d
→ Get MongoDB users passwords
$ kubectl get secret -n {{ .Release.Namespace }} mongodb
-o jsonpath="{.data['mongodb-passwords']}" | base64 -d
→ Export your backend secrets (requires jq)
$ kubectl get secrets/<your-secret-name> -n {{ .Release.Namespace }} \
-o json | jq '.data | map_values(@base64d)' > <dest-filename>.bak
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤
##

3
helm-charts/infisical/templates/_helpers.tpl
View File

@ -122,8 +122,9 @@ Create the mongodb connection string.
{{- $pass := first .Values.mongodb.auth.passwords | default "root" -}}
{{- $database := first .Values.mongodb.auth.databases | default "test" -}}
{{- $connectionString := printf "mongodb://%s:%s@%s:%d/%s" $user $pass $host $port $database -}}
{{/* Backward compatibility (< 0.1.16, deprecated) */}}
{{- if .Values.mongodbConnection.externalMongoDBConnectionString -}}
{{- $connectionString = .Values.mongodbConnection.externalMongoDBConnectionString -}}
{{- end -}}
{{- printf "%s" $connectionString -}}
{{- end -}}
{{- end -}}

76
helm-charts/infisical/templates/backend-deployment.yaml
View File

@ -1,31 +1,34 @@
{{- $backend := .Values.backend }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "infisical.backend.fullname" . }}
{{- with .Values.backend.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
updatedAt: {{ now | date "2006-01-01 MST 15:04:05" | quote }}
{{- with $backend.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "infisical.backend.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.backend.replicaCount }}
replicas: {{ $backend.replicaCount }}
selector:
matchLabels:
{{- include "infisical.backend.matchLabels" . | nindent 6 }}
template:
metadata:
metadata:
labels:
{{- include "infisical.backend.matchLabels" . | nindent 8 }}
{{- with .Values.backend.podAnnotations }}
annotations:
updatedAt: {{ now | date "2006-01-01 MST 15:04:05" | quote }}
{{- with $backend.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
spec:
containers:
- name: {{ template "infisical.name" . }}-{{ .Values.backend.name }}
image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
- name: {{ template "infisical.name" . }}-{{ $backend.name }}
image: "{{ $backend.image.repository }}:{{ $backend.image.tag | default "latest" }}"
imagePullPolicy: {{ $backend.image.pullPolicy }}
readinessProbe:
httpGet:
path: /api/status
@ -34,43 +37,58 @@ spec:
periodSeconds: 10
ports:
- containerPort: 4000
{{- if .Values.backend.kubeSecretRef }}
envFrom:
- secretRef:
name: {{ .Values.backend.kubeSecretRef }}
{{- end }}
env:
- name: MONGO_URL
value: {{ include "infisical.mongodb.connectionString" . | quote }}
{{- if .Values.backendEnvironmentVariables }}
{{- range $key, $value := .Values.backendEnvironmentVariables }}
{{- if $value | quote | eq "MUST_REPLACE" }}
{{ fail "Environment variables are not set. Please set all environment variables to continue." }}
{{ end }}
- name: {{ $key }}
value: {{ quote $value }}
{{- end }}
{{- end }}
name: {{ $backend.kubeSecretRef | default (include "infisical.backend.fullname" .) }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "infisical.backend.fullname" . }}
labels:
{{- include "infisical.backend.labels" . | nindent 4 }}
{{- with .Values.backend.service.annotations }}
{{- with $backend.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.backend.service.type }}
type: {{ $backend.service.type }}
selector:
{{- include "infisical.backend.matchLabels" . | nindent 8 }}
ports:
- protocol: TCP
port: 4000
targetPort: 4000 # container port
{{- if eq .Values.backend.service.type "NodePort" }}
nodePort: {{ .Values.backend.service.nodePort }}
{{- if eq $backend.service.type "NodePort" }}
nodePort: {{ $backend.service.nodePort }}
{{- end }}
---
{{ if not $backend.kubeSecretRef }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "infisical.backend.fullname" . }}
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
stringData:
{{- $requiredVars := dict "ENCRYPTION_KEY" (randAlphaNum 32 | lower)
"JWT_SIGNUP_SECRET" (randAlphaNum 32 | lower)
"JWT_REFRESH_SECRET" (randAlphaNum 32 | lower)
"JWT_AUTH_SECRET" (randAlphaNum 32 | lower)
"JWT_SERVICE_SECRET" (randAlphaNum 32 | lower)
"JWT_MFA_SECRET" (randAlphaNum 32 | lower)
"MONGO_URL" (include "infisical.mongodb.connectionString" .) }}
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (include "infisical.backend.fullname" .)) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{ range $key, $value := .Values.backendEnvironmentVariables }}
{{- $default := get $requiredVars $key -}}
{{- $current := get $secretData $key | b64dec -}}
{{- $v := $value | default ($current | default $default) -}}
{{ $key }}: {{ $v | quote }}
{{ end -}}
{{- end }}

67
helm-charts/infisical/templates/frontend-deployment.yaml
View File

@ -1,15 +1,17 @@
{{- $frontend := .Values.frontend }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "infisical.frontend.fullname" . }}
{{- with .Values.frontend.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
updatedAt: {{ now | date "2006-01-01 MST 15:04:05" | quote }}
{{- with .Values.frontend.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "infisical.frontend.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.frontend.replicaCount }}
replicas: {{ $frontend.replicaCount }}
selector:
matchLabels:
{{- include "infisical.frontend.matchLabels" . | nindent 6 }}
@ -17,57 +19,70 @@ spec:
metadata:
labels:
{{- include "infisical.frontend.matchLabels" . | nindent 8 }}
{{- with .Values.frontend.podAnnotations }}
annotations:
updatedAt: {{ now | date "2006-01-01 MST 15:04:05" | quote }}
{{- with $frontend.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
spec:
containers:
- name: {{ template "infisical.name" . }}-{{ .Values.frontend.name }}
image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
- name: {{ template "infisical.name" . }}-{{ $frontend.name }}
image: "{{ $frontend.image.repository }}:{{ $frontend.image.tag | default "latest" }}"
imagePullPolicy: {{ $frontend.image.pullPolicy }}
readinessProbe:
httpGet:
path: /
port: 3000
initialDelaySeconds: 10
periodSeconds: 10
{{- if .Values.frontend.kubeSecretRef }}
envFrom:
- secretRef:
name: {{ .Values.frontend.kubeSecretRef }}
{{- end }}
{{- if .Values.frontendEnvironmentVariables }}
env:
{{- range $key, $value := .Values.frontendEnvironmentVariables }}
{{- if $value | quote | eq "MUST_REPLACE" }}
{{ fail "Environment variables are not set. Please set all environment variables to continue." }}
{{ end }}
- name: {{ $key }}
value: {{ quote $value }}
{{- end }}
{{- end }}
name: {{ $frontend.kubeSecretRef | default (include "infisical.frontend.fullname" .) }}
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "infisical.frontend.fullname" . }}
labels:
{{- include "infisical.frontend.labels" . | nindent 4 }}
{{- with .Values.frontend.service.annotations }}
{{- with $frontend.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.frontend.service.type }}
type: {{ $frontend.service.type }}
selector:
{{- include "infisical.frontend.matchLabels" . | nindent 8 }}
ports:
- protocol: TCP
port: 3000 # service
targetPort: 3000 # container port
{{- if eq .Values.frontend.service.type "NodePort" }}
nodePort: {{ .Values.frontend.service.nodePort }}
{{- end }}
{{- if eq $frontend.service.type "NodePort" }}
nodePort: {{ $frontend.service.nodePort }}
{{- end }}
---
{{ if not $frontend.kubeSecretRef }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "infisical.frontend.fullname" . }}
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
stringData:
{{- $requiredVars := dict }}
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (include "infisical.frontend.fullname" .)) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{ range $key, $value := .Values.frontendEnvironmentVariables }}
{{- $default := get $requiredVars $key -}}
{{- $current := get $secretData $key | b64dec -}}
{{- $v := $value | default ($current | default $default) -}}
{{ $key }}: {{ $v | quote }}
{{ end -}}
{{- end }}

51
helm-charts/infisical/templates/ingress.yaml
View File

@ -1,16 +1,25 @@
{{ if .Values.ingress.enabled }}
{{- $ingress := .Values.ingress }}
{{- if and $ingress.ingressClassName (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey $ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set $ingress.annotations "kubernetes.io/ingress.class" $ingress.ingressClassName}}
{{- end }}
{{- end }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: infisical-ingress
{{- with .Values.ingress.annotations }}
{{- with $ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
{{- if and $ingress.ingressClassName (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ $ingress.ingressClassName | default "nginx" }}
{{- end }}
{{- if $ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
{{- range $ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
@ -19,21 +28,23 @@ spec:
{{- end }}
{{- end }}
rules:
- host: {{ .Values.ingress.hostName}}
http:
paths:
- path: {{ .Values.ingress.frontend.path }}
pathType: {{ .Values.ingress.frontend.pathType }}
backend:
service:
name: {{ include "infisical.frontend.fullname" . }}
port:
number: 3000
- path: {{ .Values.ingress.backend.path }}
pathType: {{ .Values.ingress.backend.pathType }}
backend:
service:
name: {{ include "infisical.backend.fullname" . }}
port:
number: 4000
- http:
paths:
- path: {{ $ingress.frontend.path }}
pathType: {{ $ingress.frontend.pathType }}
backend:
service:
name: {{ include "infisical.frontend.fullname" . }}
port:
number: 3000
- path: {{ $ingress.backend.path }}
pathType: {{ $ingress.backend.pathType }}
backend:
service:
name: {{ include "infisical.backend.fullname" . }}
port:
number: 4000
{{- if $ingress.hostName }}
host: {{ $ingress.hostName }}
{{- end }}
{{ end }}

98
helm-charts/infisical/values.yaml
View File

@ -46,6 +46,8 @@ frontend:
## @param frontend.kubeSecretRef Backend secret resource reference name (containing required [frontend configuration variables](https://infisical.com/docs/self-hosting/configuration/envars))
##
kubeSecretRef: ""
## Frontend service
##
service:
## @param frontend.service.annotations Backend service annotations
##
@ -103,6 +105,8 @@ backend:
## @param backend.kubeSecretRef Backend secret resource reference name (containing required [backend configuration variables](https://infisical.com/docs/self-hosting/configuration/envars))
##
kubeSecretRef: ""
## Backend service
##
service:
## @param backend.service.annotations Backend service annotations
##
@ -118,20 +122,22 @@ backend:
## Documentation : https://infisical.com/docs/self-hosting/configuration/envars
##
backendEnvironmentVariables:
## @param backendEnvironmentVariables.ENCRYPTION_KEY **Required** Backend encryption key (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))
## @param backendEnvironmentVariables.ENCRYPTION_KEY **Required** Backend encryption key (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret)
## Command to generate the required value (linux) : 'hexdump -vn16 -e'4/4 "%08X" 1 "\n"' /dev/urandom', 'openssl rand -hex 16'
##
ENCRYPTION_KEY: MUST_REPLACE
## @param backendEnvironmentVariables.JWT_SIGNUP_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))
## @param backendEnvironmentVariables.JWT_REFRESH_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))
## @param backendEnvironmentVariables.JWT_AUTH_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))
## @param backendEnvironmentVariables.JWT_SERVICE_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))
ENCRYPTION_KEY: ""
## @param backendEnvironmentVariables.JWT_SIGNUP_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret)
## @param backendEnvironmentVariables.JWT_REFRESH_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret)
## @param backendEnvironmentVariables.JWT_AUTH_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret)
## @param backendEnvironmentVariables.JWT_SERVICE_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret)
## @param backendEnvironmentVariables.JWT_MFA_SECRET **Required** Secrets to sign JWT tokens (128-bit hex value, 32-characters hex, [example](https://stackoverflow.com/a/34329057))</br><kbd>auto-generated</kbd> variable (if not provided, and not found in an existing secret)
## Command to generate the required value (linux) : 'hexdump -vn16 -e'4/4 "%08X" 1 "\n"' /dev/urandom', 'openssl rand -hex 16'
##
JWT_SIGNUP_SECRET: MUST_REPLACE
JWT_REFRESH_SECRET: MUST_REPLACE
JWT_AUTH_SECRET: MUST_REPLACE
JWT_SERVICE_SECRET: MUST_REPLACE
JWT_SIGNUP_SECRET: ""
JWT_REFRESH_SECRET: ""
JWT_AUTH_SECRET: ""
JWT_SERVICE_SECRET: ""
JWT_MFA_SECRET: ""
## @param backendEnvironmentVariables.SMTP_HOST **Required** Hostname to connect to for establishing SMTP connections
## @param backendEnvironmentVariables.SMTP_PORT Port to connect to for establishing SMTP connections
## @param backendEnvironmentVariables.SMTP_SECURE If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported
@ -140,16 +146,26 @@ backendEnvironmentVariables:
## @param backendEnvironmentVariables.SMTP_USERNAME **Required** Credential to connect to host (e.g. team@infisical.com)
## @param backendEnvironmentVariables.SMTP_PASSWORD **Required** Credential to connect to host
##
SMTP_HOST: MUST_REPLACE
SMTP_HOST: ""
SMTP_PORT: 587
SMTP_SECURE: false
SMTP_FROM_NAME: Infisical
SMTP_FROM_ADDRESS: MUST_REPLACE
SMTP_USERNAME: MUST_REPLACE
SMTP_PASSWORD: MUST_REPLACE
SMTP_FROM_ADDRESS: ""
SMTP_USERNAME: ""
SMTP_PASSWORD: ""
## @param backendEnvironmentVariables.SITE_URL Absolute URL including the protocol (e.g. https://app.infisical.com)
##
SITE_URL: infisical.local
## @param backendEnvironmentVariables.INVITE_ONLY_SIGNUP To disable account creation from the login page (invites only)
##
INVITE_ONLY_SIGNUP: false
## @param backendEnvironmentVariables.MONGO_URL MongoDB connection string (external or internal)</br>Leave it empty for auto-generated connection string
## By default the backend will automatically be connected to a Mongo instance within the cluster
## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
##
MONGO_URL: ""
## @section MongoDB(&reg;) parameters
## Documentation : https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml
@ -187,6 +203,38 @@ mongodb:
repository: bitnami/mongodb
pullPolicy: IfNotPresent
tag: "6.0.4-debian-11-r0"
## Bitnami MongoDB(&reg;) pods' liveness probe
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param mongodb.livenessProbe.enabled Enable livenessProbe
## @param mongodb.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param mongodb.livenessProbe.periodSeconds Period seconds for livenessProbe
## @param mongodb.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param mongodb.livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param mongodb.livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 20
timeoutSeconds: 10
failureThreshold: 6
successThreshold: 1
## Bitnami MongoDB(&reg;) pods' readiness probe. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param mongodb.readinessProbe.enabled Enable readinessProbe
## @param mongodb.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param mongodb.readinessProbe.periodSeconds Period seconds for readinessProbe
## @param mongodb.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param mongodb.readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param mongodb.readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
failureThreshold: 6
successThreshold: 1
## @param mongodb.service.annotations Service annotations
##
service:
@ -209,8 +257,12 @@ mongodb:
##
databases:
- "infisical"
rootPassword: root
## @param mongodb.auth.rootUser Database root user name
##
rootUser: root
## @param mongodb.auth.rootPassword Database root user password
##
rootPassword: root
## MongoDB persistence configuration
##
persistence:
@ -230,7 +282,7 @@ mongodb:
##
size: 8Gi
## @param mongodbConnection.externalMongoDBConnectionString External MongoDB connection string
## @param mongodbConnection.externalMongoDBConnectionString Deprecated :warning: External MongoDB connection string</br>Use backendEnvironmentVariables.MONGO_URL instead
## By default the backend will be connected to a Mongo instance within the cluster
## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
@ -246,15 +298,19 @@ ingress:
## @param ingress.enabled Enable ingress
##
enabled: true
## @param ingress.ingressClassName Ingress class name
##
ingressClassName: nginx
## @param ingress.annotations Ingress annotations
##
annotations:
## @skip ingress.annotations.kubernetes.io/ingress.class
##
kubernetes.io/ingress.class: "nginx"
{}
# kubernetes.io/ingress.class: "nginx"
# cert-manager.io/issuer: letsencrypt-nginx
## @param ingress.hostName Ingress hostname (your custom domain name)
## @param ingress.hostName Ingress hostname (your custom domain name, e.g. `infisical.example.org`)
## Replace with your own domain
##
hostName: infisical.local
hostName: ""
## @skip ingress.frontend
##
frontend: