add docs for k8 secret type and label propagation

chores: clean login
Merge pull request #1210 from Infisical/hide-blind-index
2025-08-03 20:23:35 +00:00 · 2023-12-07 20:10:11 -05:00 · 2023-12-02 13:28:32 -05:00 · 2023-11-30 18:15:58 -05:00 · 2023-11-29 10:03:06 -05:00
4 changed files with 62 additions and 20 deletions
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@@ -204,20 +204,16 @@ export const login2 = async (req: Request, res: Response) => {
 * @param res
 */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  const {
-    body: { email }
-  } = await validateRequest(reqValidator.SendMfaTokenV2, req);
-
  const code = await TokenService.createToken({
    type: TOKEN_EMAIL_MFA,
-    email
+    email: req.user.email
  });

  // send MFA code [code] to [email]
  await sendMail({
    template: "emailMfa.handlebars",
    subjectLine: "Infisical MFA code",
-    recipients: [email],
+    recipients: [req.user.email],
    substitutions: {
      code
    }
@@ -236,17 +232,17 @@ export const sendMfaToken = async (req: Request, res: Response) => {
 */
 export const verifyMfaToken = async (req: Request, res: Response) => {
  const {
-    body: { email, mfaToken }
+    body: { mfaToken }
  } = await validateRequest(reqValidator.VerifyMfaTokenV2, req);

  await TokenService.validateToken({
    type: TOKEN_EMAIL_MFA,
-    email,
+    email: req.user.email,
    token: mfaToken
  });

  const user = await User.findOne({
-    email
+    email: req.user.email
  }).select(
    "+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices"
  );
--- a/backend/src/routes/v2/auth.ts
+++ b/backend/src/routes/v2/auth.ts
@@ -26,7 +26,7 @@ router.post(
 );

 //remove above ones after depreciation
-router.post("/mfa/send", authLimiter, authController.sendMfaToken);
+router.post("/mfa/send", authLimiter, requireMfaAuth, authController.sendMfaToken);

 router.post("/mfa/verify", authLimiter, requireMfaAuth, authController.verifyMfaToken);

--- a/backend/src/validation/auth.ts
+++ b/backend/src/validation/auth.ts
@@ -84,15 +84,8 @@ export const ResetPasswordV1 = z.object({
  })
 });

-export const SendMfaTokenV2 = z.object({
-  body: z.object({
-    email: z.string().email().trim()
-  })
-});
-
 export const VerifyMfaTokenV2 = z.object({
  body: z.object({
-    email: z.string().email().trim(),
    mfaToken: z.string().trim()
  })
 });
--- a/docs/integrations/platforms/kubernetes.mdx
+++ b/docs/integrations/platforms/kubernetes.mdx
@@ -161,12 +161,65 @@ Default re-sync interval is every 1 minute.
 </Accordion>

 <Accordion title="managedSecretReference">
-The `managedSecretReference` field in the InfisicalSecret resource is used to specify the location where secrets retrieved from an Infisical project should be stored. 
-You should specify the name and namespace of the Kubernetes secret that will hold these secrets. The operator will create the secret for you, you just need to provide its name and namespace.
+The `managedSecretReference` field is used to define the target location for storing secrets retrieved from an Infisical project. 
+This field requires specifying both the name and namespace of the Kubernetes secret that will hold these secrets. 
+The Infisical operator will automatically create the Kubernetes secret with the specified name/namespace and keep it continuously updated.

-The managed secret be should be created in the same namespace as the deployment that will use it.
+Note: The managed secret be should be created in the same namespace as the deployment that will use it.

 </Accordion>
+<Accordion title="managedSecretReference.secretName">
+The name of the managed Kubernetes secret to be created
+</Accordion>
+<Accordion title="managedSecretReference.secretNamespace">
+The namespace of the managed Kubernetes secret to be created. 
+</Accordion>
+<Accordion title="managedSecretReference.secretType">
+Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
+</Accordion>
+
+### Propagating labels & annotations 
+
+The operator will transfer all labels & annotations present on the `InfisicalSecret` CRD to the managed Kubernetes secret to be created. 
+Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
+
+<Accordion title="Example propagation">
+```yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+spec:
+  ..
+  authentication:
+    ...
+  managedSecretReference:
+    ...
+```
+
+This would result in the following managed secret to be created:
+
+```yaml
+apiVersion: v1
+data:
+ ...
+kind: Secret
+metadata:
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: sample-value
+    secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  name: managed-token
+  namespace: default
+type: Opaque
+```
+</Accordion>
+

 ### Apply the Infisical CRD to your cluster 
 Once you have configured the Infisical CRD with the required fields, you can apply it to your cluster.
Author	SHA1	Message	Date
Maidul Islam	5eb505326b	add docs for k8 secret type and label propagation	2023-12-07 20:10:11 -05:00
Maidul Islam	4b41664fa4	chores: clean login	2023-12-02 13:28:32 -05:00
Maidul Islam	735cf093f0	Merge pull request #1210 from Infisical/hide-blind-index Hide blind index notice	2023-11-30 18:15:58 -05:00
Maidul Islam	5f80e2f432	Merge pull request #1205 from Infisical/add-docs-for-folders-cli add docs for folder cli command	2023-11-29 10:03:06 -05:00