mirror of
https://github.com/Infisical/infisical.git
synced 2025-03-29 22:02:57 +00:00
Compare commits
17 Commits
infisical-
...
infisical/
| Author | SHA1 | Date | |
|---|---|---|---|
| b5ac49eefe | |||
| b21d1a0ed2 | |||
| 70f1122362 | |||
| ea03db8a2c | |||
| 38d9abca17 | |||
| 5bed2580c3 | |||
| d0b899897b | |||
| 1861dc85de | |||
| bc6bf33674 | |||
| 44fd35baf5 | |||
| 8ddfee4c36 | |||
| 4d0bff4377 | |||
| 68eb0f8dd9 | |||
| 5941e8e836 | |||
| 80e50d13ec | |||
| 99c8dda4e1 | |||
| 14c8e3fa3b |
@ -129,9 +129,14 @@ export const renewAccessToken = async (req: Request, res: Response) => {
|
||||
accessTokenTTL,
|
||||
accessTokenLastRenewedAt,
|
||||
accessTokenMaxTTL,
|
||||
createdAt: accessTokenCreatedAt
|
||||
createdAt: accessTokenCreatedAt,
|
||||
accessTokenNumUses,
|
||||
accessTokenNumUsesLimit
|
||||
} = identityAccessToken;
|
||||
|
||||
if (accessTokenNumUses >= accessTokenNumUsesLimit) {
|
||||
throw BadRequestError({ message: "Unable to renew because access token number of uses limit reached" })
|
||||
}
|
||||
|
||||
// ttl check
|
||||
if (accessTokenTTL > 0) {
|
||||
|
||||
@ -17,12 +17,12 @@ export const getSecretApprovalRequestCount = async (req: Request, res: Response)
|
||||
} = await validateRequest(reqValidator.getSecretApprovalRequestCount, req);
|
||||
|
||||
if (!(req.authData.authPayload instanceof User)) return;
|
||||
|
||||
|
||||
const membership = await Membership.findOne({
|
||||
user: req.authData.authPayload._id,
|
||||
workspace: new Types.ObjectId(workspaceId)
|
||||
});
|
||||
|
||||
|
||||
if (!membership) throw UnauthorizedRequestError();
|
||||
|
||||
const approvalRequestCount = await SecretApprovalRequest.aggregate([
|
||||
@ -73,12 +73,12 @@ export const getSecretApprovalRequests = async (req: Request, res: Response) =>
|
||||
} = await validateRequest(reqValidator.getSecretApprovalRequests, req);
|
||||
|
||||
if (!(req.authData.authPayload instanceof User)) return;
|
||||
|
||||
|
||||
const membership = await Membership.findOne({
|
||||
user: req.authData.authPayload._id,
|
||||
workspace: new Types.ObjectId(workspaceId)
|
||||
});
|
||||
|
||||
|
||||
if (!membership) throw UnauthorizedRequestError();
|
||||
|
||||
const query = {
|
||||
@ -168,13 +168,13 @@ export const getSecretApprovalRequestDetails = async (req: Request, res: Respons
|
||||
user: req.authData.authPayload._id,
|
||||
workspace: secretApprovalRequest.workspace
|
||||
});
|
||||
|
||||
|
||||
if (!membership) throw UnauthorizedRequestError();
|
||||
|
||||
// allow to fetch only if its admin or is the committer or approver
|
||||
if (
|
||||
membership.role !== "admin" &&
|
||||
secretApprovalRequest.committer !== membership.id &&
|
||||
!secretApprovalRequest.committer.equals(membership.id) &&
|
||||
!secretApprovalRequest.policy.approvers.find(
|
||||
(approverId) => approverId.toString() === membership._id.toString()
|
||||
)
|
||||
@ -215,7 +215,7 @@ export const updateSecretApprovalReviewStatus = async (req: Request, res: Respon
|
||||
user: req.authData.authPayload._id,
|
||||
workspace: secretApprovalRequest.workspace
|
||||
});
|
||||
|
||||
|
||||
if (!membership) throw UnauthorizedRequestError();
|
||||
|
||||
if (
|
||||
@ -257,7 +257,7 @@ export const mergeSecretApprovalRequest = async (req: Request, res: Response) =>
|
||||
user: req.authData.authPayload._id,
|
||||
workspace: secretApprovalRequest.workspace
|
||||
});
|
||||
|
||||
|
||||
if (!membership) throw UnauthorizedRequestError();
|
||||
|
||||
if (
|
||||
@ -307,7 +307,7 @@ export const updateSecretApprovalRequestStatus = async (req: Request, res: Respo
|
||||
user: req.authData.authPayload._id,
|
||||
workspace: secretApprovalRequest.workspace
|
||||
});
|
||||
|
||||
|
||||
if (!membership) throw UnauthorizedRequestError();
|
||||
|
||||
if (
|
||||
|
||||
@ -158,7 +158,7 @@ export const CreateServiceTokenV2 = z.object({
|
||||
encryptedKey: z.string().trim(),
|
||||
iv: z.string().trim(),
|
||||
tag: z.string().trim(),
|
||||
expiresIn: z.number(),
|
||||
expiresIn: z.number().nullable().optional(),
|
||||
permissions: z.enum(["read", "write"]).array()
|
||||
})
|
||||
});
|
||||
|
||||
@ -10,97 +10,97 @@ description: "Configure Azure SAML for Infisical SSO"
|
||||
then you should contact team@infisical.com to purchase an enterprise license to use it.
|
||||
</Info>
|
||||
|
||||
1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
|
||||
Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
|
||||
<Steps>
|
||||
<Step title="Prepare the SAML SSO configuration in Infisical">
|
||||
In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
|
||||
|
||||
|
||||
Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
|
||||
|
||||
2. In the Azure Portal, navigate to the Azure Active Directory and select **Enterprise applications**. On this screen, select
|
||||
**+ New application**.
|
||||
|
||||
</Step>
|
||||
<Step title="Create a SAML application in Azure">
|
||||
In the Azure Portal, navigate to the Azure Active Directory and select **Enterprise applications**. On this screen, select **+ New application**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
On the next screen, press the **+ Create your own application** button.
|
||||
Give the application a unique name like Infisical; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
|
||||
option and hit the **Create** button.
|
||||
|
||||
2. On the next screen, press the **+ Create your own application** button.
|
||||
Give the application a unique name like Infisical; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
|
||||
option and hit the **Create** button.
|
||||
|
||||
|
||||
|
||||
On the application overview screen, select **Single sign-on** from the left sidebar. From there, select the **SAML** single sign-on method.
|
||||
|
||||
3. On the application overview screen, select **Single sign-on** from the left sidebar. From there,
|
||||
select the **SAML** single sign-on method.
|
||||
|
||||
|
||||
|
||||
Next, select **Edit** in the **Basic SAML Configuration** section and add/set the **Identifier (Entity ID)** to **Entity ID** and add/set the **Reply URL (Assertion Consumer Service URL)** to **ACS URL** from step 1.
|
||||
|
||||
4. Next, select **Edit** in the **Basic SAML Configuration** section and add/set the **Identifier (Entity ID)**
|
||||
to **Entity ID** and add/set the **Reply URL (Assertion Consumer Service URL)** to **ACS URL** from step 1.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
If you're self-hosting Infisical, then you will want to replace
|
||||
`https://app.infisical.com` with your own domain.
|
||||
</Note>
|
||||
|
||||
<Note>
|
||||
If you're self-hosting Infisical, then you will want to replace
|
||||
`https://app.infisical.com` with your own domain.
|
||||
</Note>
|
||||
Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **Attributes & Claims** section and configure the following map:
|
||||
|
||||
5. Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **Attributes & Claims** section and configure the following map:
|
||||
- `email -> user.userprinciplename`
|
||||
- `firstName -> user.firstName`
|
||||
- `lastName -> user.lastName`
|
||||
|
||||
- `email -> user.userprinciplename`
|
||||
- `firstName -> user.firstName`
|
||||
- `lastName -> user.lastName`
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **SAML Certificates** section and set the **Signing Option** field to **Sign SAML response and assertion**.
|
||||
|
||||
6. Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **SAML Certificates** section and set the **Signing Option** field to **Sign SAML response and assertion**.
|
||||
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Retrieve Identity Provider (IdP) Information from Okta">
|
||||
In the **Set up Single Sign-On with SAML** screen, copy the **Login URL** and **SAML Certificate** to use when finishing configuring Azure SAML in Infisical.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Get IdP values:
|
||||
In the **Properties** screen, copy the **Application ID** to use when finishing configuring Azure SAML in Infisical.
|
||||
|
||||
In the **Set up Single Sign-On with SAML** screen, copy the **Login URL** and **SAML Certificate** to use when finishing configuring Azure SAML in Infisical.
|
||||
|
||||
</Step>
|
||||
<Step title="Finish configuring SAML in Infisical">
|
||||
Back in Infisical, set **Login URL**, **Azure Application ID**, and **SAML Certificate** from step 3. Once you've done that, press **Update** to complete the required configuration.
|
||||
|
||||
|
||||
|
||||
|
||||
In the **Properties** screen, copy the **Application ID** to use when finishing configuring Azure SAML in Infisical.
|
||||
<Note>
|
||||
When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
|
||||
CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
|
||||
of the text area respectively.
|
||||
|
||||
|
||||
Having trouble?, try copying the X509 certificate information from the Federation Metadata XML file in Azure.
|
||||
|
||||
Back in Infisical, set **Login URL**, **Azure Application ID**, and **SAML Certificate** from above. Once you've done that, press **Update** to complete the required configuration.
|
||||
</Note>
|
||||
</Step>
|
||||
<Step title="Assign users in Azure to the application">
|
||||
Back in Azure, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Enable SAML SSO in Infisical">
|
||||
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Azure.
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
|
||||
CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
|
||||
of the text area respectively.
|
||||
|
||||
Having trouble?, try copying the X509 certificate information from the Federation Metadata XML file in Azure.
|
||||
|
||||
</Note>
|
||||
|
||||
7. Assignments
|
||||
|
||||
Back in Azure, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
|
||||
|
||||
|
||||
8. Return to Infisical and enable SAML SSO.
|
||||
|
||||
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Azure.
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<Note>
|
||||
If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
|
||||
set the `JWT_PROVIDER_AUTH_SECRET` and `SITE_URL` environment variable for it to work:
|
||||
set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
|
||||
|
||||
- `JWT_PROVIDER_AUTH_SECRET`: This is secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
|
||||
- `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
</Note>
|
||||
|
||||
|
||||
</Note>
|
||||
@ -5,38 +5,39 @@ description: "Configure GitHub SSO for Infisical"
|
||||
|
||||
Using GitHub SSO on a self-hosted instance of Infisical requires configuring an OAuth2 application in GitHub and registering your instance with it.
|
||||
|
||||
## Create an OAuth application in GitHub
|
||||
<Steps>
|
||||
<Step title="Create an OAuth application in GitHub">
|
||||
Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application.
|
||||
|
||||
Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Create the OAuth application. As part of the form, set the **Homepage URL** to your self-hosted domain `https://your-domain.com`
|
||||
and the **Authorization callback URL** to `https://your-domain.com/api/v1/sso/github`.
|
||||
|
||||
Create the OAuth application. As part of the form, set the **Homepage URL** to your self-hosted domain `https://your-domain.com`
|
||||
and the **Authorization callback URL** to `https://your-domain.com/api/v1/sso/github`.
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
If you have a GitHub organization, you can create an OAuth application under it
|
||||
in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.
|
||||
</Note>
|
||||
</Step>
|
||||
<Step title="Add your OAuth application credentials to Infisical">
|
||||
Obtain the **Client ID** and generate a new **Client Secret** for your GitHub OAuth application.
|
||||
|
||||
<Note>
|
||||
If you have a GitHub organization, you can create an OAuth application under it
|
||||
in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.
|
||||
</Note>
|
||||
|
||||
|
||||
## Add your OAuth application credentials to Infisical
|
||||
Back in your Infisical instance, make sure to set the following environment variables:
|
||||
|
||||
Obtain the **Client ID** and generate a new **Client Secret** for your GitHub OAuth application.
|
||||
|
||||
|
||||
|
||||
Back in your Infisical instance, make sure to set the following environment variables:
|
||||
|
||||
- `CLIENT_ID_GITHUB_LOGIN`: The **Client ID** of your GitHub OAuth application.
|
||||
- `CLIENT_SECRET_GITHUB_LOGIN`: The **Client Secret** of your GitHub OAuth application.
|
||||
- `JWT_PROVIDER_AUTH_SECRET`: A secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
|
||||
Once added, restart your Infisical instance and log in with GitHub.
|
||||
- `CLIENT_ID_GITHUB_LOGIN`: The **Client ID** of your GitHub OAuth application.
|
||||
- `CLIENT_SECRET_GITHUB_LOGIN`: The **Client Secret** of your GitHub OAuth application.
|
||||
- `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
|
||||
Once added, restart your Infisical instance and log in with GitHub.
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
## FAQ
|
||||
|
||||
@ -45,7 +46,7 @@ Once added, restart your Infisical instance and log in with GitHub.
|
||||
It is likely that you have misconfigured your self-hosted instance of Infisical. You should:
|
||||
|
||||
- Check that you have set the `CLIENT_ID_GITHUB_LOGIN`, `CLIENT_SECRET_GITHUB_LOGIN`,
|
||||
`JWT_PROVIDER_AUTH_SECRET`, and `SITE_URL` environment variables.
|
||||
`AUTH_SECRET`, and `SITE_URL` environment variables.
|
||||
- Check that the **Authorization callback URL** specified in GitHub matches the `SITE_URL` environment variable.
|
||||
For example, if the former is `https://app.infisical.com/api/v1/sso/github` then the latter should be `https://app.infisical.com`.
|
||||
</Accordion>
|
||||
|
||||
@ -5,38 +5,39 @@ description: "Configure GitLab SSO for Infisical"
|
||||
|
||||
Using GitLab SSO on a self-hosted instance of Infisical requires configuring an OAuth application in GitLab and registering your instance with it.
|
||||
|
||||
## Create an OAuth application in GitLab
|
||||
<Steps>
|
||||
<Step title="Create an OAuth application in GitLab">
|
||||
Navigate to your user Settings > Applications to create a new GitLab application.
|
||||
|
||||
Navigate to your user Settings > Applications to create a new GitLab application.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/api/v1/sso/gitlab`.
|
||||
Note that only `read_user` is required as part of the **Scopes** configuration.
|
||||
|
||||
Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/api/v1/sso/gitlab`.
|
||||
Note that only `read_user` is required as part of the **Scopes** configuration.
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
If you have a GitLab group, you can create an OAuth application under it
|
||||
in your group Settings > Applications.
|
||||
</Note>
|
||||
</Step>
|
||||
<Step title="Add your OAuth application credentials to Infisical">
|
||||
Obtain the **Application ID** and **Secret** for your GitLab application.
|
||||
|
||||
<Note>
|
||||
If you have a GitLab group, you can create an OAuth application under it
|
||||
in your group Settings > Applications.
|
||||
</Note>
|
||||
|
||||
|
||||
## Add your OAuth application credentials to Infisical
|
||||
Back in your Infisical instance, make sure to set the following environment variables:
|
||||
|
||||
Obtain the **Application ID** and **Secret** for your GitLab application.
|
||||
|
||||
|
||||
|
||||
Back in your Infisical instance, make sure to set the following environment variables:
|
||||
|
||||
- `CLIENT_ID_GITLAB_LOGIN`: The **Client ID** of your GitLab application.
|
||||
- `CLIENT_SECRET_GITLAB_LOGIN`: The **Secret** of your GitLab application.
|
||||
- (optional) `URL_GITLAB_LOGIN`: The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to `https://gitlab.com`.
|
||||
- `JWT_PROVIDER_AUTH_SECRET`: A secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
|
||||
Once added, restart your Infisical instance and log in with GitLab.
|
||||
- `CLIENT_ID_GITLAB_LOGIN`: The **Client ID** of your GitLab application.
|
||||
- `CLIENT_SECRET_GITLAB_LOGIN`: The **Secret** of your GitLab application.
|
||||
- (optional) `URL_GITLAB_LOGIN`: The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to `https://gitlab.com`.
|
||||
- `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
|
||||
Once added, restart your Infisical instance and log in with GitLab.
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
## FAQ
|
||||
|
||||
@ -45,7 +46,7 @@ Once added, restart your Infisical instance and log in with GitLab.
|
||||
It is likely that you have misconfigured your self-hosted instance of Infisical. You should:
|
||||
|
||||
- Check that you have set the `CLIENT_ID_GITLAB_LOGIN`, `CLIENT_SECRET_GITLAB_LOGIN`,
|
||||
`JWT_PROVIDER_AUTH_SECRET`, and `SITE_URL` environment variables.
|
||||
`AUTH_SECRET`, and `SITE_URL` environment variables.
|
||||
- Check that the **Redirect URI** specified in GitLab matches the `SITE_URL` environment variable.
|
||||
For example, if the former is `https://app.infisical.com/api/v1/sso/gitlab` then the latter should be `https://app.infisical.com`.
|
||||
</Accordion>
|
||||
|
||||
@ -5,31 +5,32 @@ description: "Configure Google SSO for Infisical"
|
||||
|
||||
Using Google SSO on a self-hosted instance of Infisical requires configuring an OAuth2 application in GCP and registering your instance with it.
|
||||
|
||||
## Create an OAuth2 application in GCP
|
||||
<Steps>
|
||||
<Step title="Create an OAuth2 application in GCP">
|
||||
Navigate to your project API & Services > Credentials to create a new OAuth2 application.
|
||||
|
||||
|
||||
|
||||
|
||||
Navigate to your project API & Services > Credentials to create a new OAuth2 application.
|
||||
|
||||
|
||||
|
||||
Create the application. As part of the form, add to **Authorized redirect URIs**: `https://your-domain.com/api/v1/sso/google`.
|
||||
|
||||
Create the application. As part of the form, add to **Authorized redirect URIs**: `https://your-domain.com/api/v1/sso/google`.
|
||||
|
||||
</Step>
|
||||
<Step title="Add your OAuth2 application credentials to Infisical">
|
||||
Obtain the **Client ID** and **Client Secret** for your GCP OAuth2 application.
|
||||
|
||||
|
||||
|
||||
|
||||
Back in your Infisical instance, make sure to set the following environment variables:
|
||||
|
||||
## Add your OAuth2 application credentials to Infisical
|
||||
|
||||
Obtain the **Client ID** and **Client Secret** for your GCP OAuth2 application.
|
||||
|
||||
|
||||
|
||||
Back in your Infisical instance, make sure to set the following environment variables:
|
||||
|
||||
- `CLIENT_ID_GOOGLE_LOGIN`: The **Client ID** of your GCP OAuth2 application.
|
||||
- `CLIENT_SECRET_GOOGLE_LOGIN`: The **Client Secret** of your GCP OAuth2 application.
|
||||
- `JWT_PROVIDER_AUTH_SECRET`: A secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
|
||||
Once added, restart your Infisical instance and log in with Google
|
||||
- `CLIENT_ID_GOOGLE_LOGIN`: The **Client ID** of your GCP OAuth2 application.
|
||||
- `CLIENT_SECRET_GOOGLE_LOGIN`: The **Client Secret** of your GCP OAuth2 application.
|
||||
- `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
|
||||
Once added, restart your Infisical instance and log in with Google
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
## FAQ
|
||||
|
||||
@ -38,7 +39,7 @@ Once added, restart your Infisical instance and log in with Google
|
||||
It is likely that you have misconfigured your self-hosted instance of Infisical. You should:
|
||||
|
||||
- Check that you have set the `CLIENT_ID_GOOGLE_LOGIN`, `CLIENT_SECRET_GOOGLE_LOGIN`,
|
||||
`JWT_PROVIDER_AUTH_SECRET`, and `SITE_URL` environment variables.
|
||||
`AUTH_SECRET`, and `SITE_URL` environment variables.
|
||||
- Check that the **Authorized redirect URI** specified in GCP matches the `SITE_URL` environment variable.
|
||||
For example, if the former is `https://app.infisical.com/api/v1/sso/google` then the latter should be `https://app.infisical.com`.
|
||||
</Accordion>
|
||||
|
||||
@ -10,73 +10,77 @@ description: "Configure JumpCloud SAML for Infisical SSO"
|
||||
then you should contact team@infisical.com to purchase an enterprise license to use it.
|
||||
</Info>
|
||||
|
||||
1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
|
||||
Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
|
||||
<Steps>
|
||||
<Step title="Prepare the SAML SSO configuration in Infisical">
|
||||
In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
|
||||
|
||||
|
||||
Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
|
||||
|
||||
2. In the JumpCloud Admin Portal, navigate to User Authentication > SSO and create an application. If this is your first application, select **Get Started**;
|
||||
if not, select **+Add New Application**
|
||||
|
||||
</Step>
|
||||
<Step title="Create a SAML application in JumpCloud">
|
||||
2.1. In the JumpCloud Admin Portal, navigate to User Authentication > SSO and create an application. If this is your first application, select **Get Started**; if not, select **+Add New Application**
|
||||
|
||||
|
||||
|
||||
|
||||
3. Next, select **Custom SAML App** to open up the **New SSO** dialog.
|
||||
2.2. Next, select **Custom SAML App** to open up the **New SSO** dialog.
|
||||
|
||||
|
||||
|
||||
|
||||
4. In the **General Info** tab, give the application a unique name like Infisical.
|
||||
2.3. In the **General Info** tab, give the application a unique name like Infisical.
|
||||
|
||||
|
||||
|
||||
|
||||
5. In the **SSO** tab, set the **SP Entity ID** and **ACS URL** from step 1; set the **IdP Entity ID** to the same value as the **SP Entity ID**.
|
||||
2.4. In the **SSO** tab, set the **SP Entity ID** and **ACS URL** from step 1; set the **IdP Entity ID** to the same value as the **SP Entity ID**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. On the same tab, check the **Sign Assertion** checkbox and fill the **IDP URL** to something unique.
|
||||
Copy the **IDP URL** to use when finishing configuring the JumpCloud SAML in Infisical.
|
||||
2.5. On the same tab, check the **Sign Assertion** checkbox and fill the **IDP URL** to something unique.
|
||||
Copy the **IDP URL** to use when finishing configuring the JumpCloud SAML in Infisical.
|
||||
|
||||
|
||||
|
||||
|
||||
7. On the same tab, in the **Attributes** section, configure the following map:
|
||||
2.6. On the same tab, in the **Attributes** section, configure the following map:
|
||||
|
||||
- `email -> email`
|
||||
- `firstName -> firstname`
|
||||
- `lastName -> lastname`
|
||||
- `email -> email`
|
||||
- `firstName -> firstname`
|
||||
- `lastName -> lastname`
|
||||
|
||||
|
||||
|
||||
|
||||
Finally press activate to create the SAML application.
|
||||
Finally press activate to create the SAML application.
|
||||
|
||||
8. Next, select the newly created SAML application and select **Download certificate** under the **IDP Certificate Valid** dropdown
|
||||
2.7. Next, select the newly created SAML application and select **Download certificate** under the **IDP Certificate Valid** dropdown
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Finish configuring SAML in Infisical">
|
||||
Back in Infisical, set the **IDP URL** from step 2.5 and the **IdP Entity ID** from step 2.4. Also, paste the certificate from the previous step.
|
||||
|
||||
9. Back in Infisical, set the **IDP URL** from step 6 and the **IdP Entity ID** from step 5. Also, paste the certificate from the previous step.
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
|
||||
CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
|
||||
of the text area respectively.
|
||||
</Note>
|
||||
</Step>
|
||||
<Step title="Assign users in JumpCloud to the application">
|
||||
Back in JumpCloud, navigate to the **User Groups** tab and assign users to the newly created application.
|
||||
|
||||
<Note>
|
||||
When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
|
||||
CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
|
||||
of the text area respectively.
|
||||
</Note>
|
||||
|
||||
</Step>
|
||||
<Step title="Enable SAML SSO in Infisical">
|
||||
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via JumpCloud.
|
||||
|
||||
10. Assignments
|
||||
|
||||
Back in JumpCloud, navigate to the **User Groups** tab and assign users to the newly created application.
|
||||
|
||||
|
||||
|
||||
11. Return to Infisical and enable SAML SSO.
|
||||
|
||||
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via JumpCloud.
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<Note>
|
||||
If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
|
||||
set the `JWT_PROVIDER_AUTH_SECRET` and `SITE_URL` environment variable for it to work:
|
||||
set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
|
||||
|
||||
- `JWT_PROVIDER_AUTH_SECRET`: This is secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
|
||||
- `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
</Note>
|
||||
|
||||
@ -10,78 +10,80 @@ description: "Configure Okta SAML 2.0 for Infisical SSO"
|
||||
then you should contact team@infisical.com to purchase an enterprise license to use it.
|
||||
</Info>
|
||||
|
||||
1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
|
||||
Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
|
||||
<Steps>
|
||||
<Step title="Prepare the SAML SSO configuration in Infisical">
|
||||
In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
|
||||
|
||||
Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
|
||||
|
||||
</Step>
|
||||
<Step title="Create a SAML application in Okta">
|
||||
In the Okta Admin Portal, select Applications > Applications from the navigation. On the Applications screen, select the **Create App Integration**
|
||||
button.
|
||||
|
||||
|
||||
|
||||
|
||||
In the Create a New Application Integration dialog, select the **SAML 2.0** radio button:
|
||||
|
||||
2. In the Okta Admin Portal, select Applications > Applications from the
|
||||
navigation. On the Applications screen, select the **Create App Integration**
|
||||
button.
|
||||
|
||||
|
||||
On the General Settings screen, give the application a unique name like Infisical and select **Next**.
|
||||
|
||||
|
||||
|
||||
On the Configure SAML screen, set the **Single sign-on URL** and **Audience URI (SP Entity ID)** from step 1.
|
||||
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
If you're self-hosting Infisical, then you will want to replace
|
||||
`https://app.infisical.com` with your own domain.
|
||||
</Note>
|
||||
|
||||
Also on the Configure SAML screen, configure the **Attribute Statements** to map:
|
||||
|
||||
3. In the Create a New Application Integration dialog, select the **SAML 2.0** radio button:
|
||||
- `id -> user.id`,
|
||||
- `email -> user.email`,
|
||||
- `firstName -> user.firstName`
|
||||
- `lastName -> user.lastName`
|
||||
|
||||
|
||||
|
||||
|
||||
4. On the General Settings screen, give the application a unique name like Infisical and select **Next**.
|
||||
Once configured, select **Next** to proceed to the Feedback screen and select **Finish**.
|
||||
</Step>
|
||||
<Step title="Retrieve Identity Provider (IdP) Information from Okta">
|
||||
Once your application is created, select the **Sign On** tab for the app and select the **View Setup Instructions** button located on the right side of the screen:
|
||||
|
||||
|
||||
|
||||
|
||||
5. On the Configure SAML screen, set the **Single sign-on URL** and **Audience URI (SP Entity ID)** from step 1.
|
||||
Copy the **Identity Provider Single Sign-On URL**, the **Identity Provider Issuer**, and the **X.509 Certificate** to use when finishing configuring Okta SAML in Infisical.
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Finish configuring SAML in Infisical">
|
||||
Back in Infisical, set **Identity Provider Single Sign-On URL**, **Identity Provider Issuer**,
|
||||
and **Certificate** to **X.509 Certificate** from step 3. Once you've done that, press **Update** to complete the required configuration.
|
||||
|
||||
<Note>
|
||||
If you're self-hosting Infisical, then you will want to replace
|
||||
`https://app.infisical.com` with your own domain.
|
||||
</Note>
|
||||
|
||||
</Step>
|
||||
<Step title="Assign users in Okta to the application">
|
||||
Back in Okta, navigate to the **Assignments** tab and select **Assign**. You can assign access to the application on a user-by-user basis using the Assign to People option, or in-bulk using the Assign to Groups option.
|
||||
|
||||
6. Also on the Configure SAML screen, configure the **Attribute Statements** to map:
|
||||
|
||||
|
||||
- `id -> user.id`,
|
||||
- `email -> user.email`,
|
||||
- `firstName -> user.firstName`
|
||||
- `lastName -> user.lastName`
|
||||
At this point, you have configured everything you need within the context of the Okta Admin Portal.
|
||||
</Step>
|
||||
<Step title="Enable SAML SSO in Infisical">
|
||||
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Okta.
|
||||
|
||||
|
||||
|
||||
Once configured, select **Next** to proceed to the Feedback screen and select **Finish**.
|
||||
|
||||
7. Get IdP values
|
||||
|
||||
Once your application is created, select the **Sign On** tab for the app and select the **View Setup Instructions** button located on the right side of the screen:
|
||||
|
||||
|
||||
|
||||
Copy the **Identity Provider Single Sign-On URL**, the **Identity Provider Issuer**, and the **X.509 Certificate** to use when finishing configuring Okta SAML in Infisical.
|
||||
|
||||
|
||||
|
||||
Back in Infisical, set **Identity Provider Single Sign-On URL**, **Identity Provider Issuer**,
|
||||
and **Certificate** to **X.509 Certificate** from above. Once you've done that, press **Update** to complete the required configuration.
|
||||
|
||||
|
||||
|
||||
8. Finally, navigate to the **Assignments** tab and select **Assign**
|
||||
|
||||
You can assign access to the application on a user-by-user basis using the Assign to People option, or in-bulk using the Assign to Groups option.
|
||||
|
||||
|
||||
|
||||
At this point, you have configured everything you need within the context of the Okta Admin Portal.
|
||||
|
||||
9. Return to Infisical and enable SAML SSO.
|
||||
|
||||
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Okta.
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<Note>
|
||||
If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
|
||||
set the `JWT_PROVIDER_AUTH_SECRET` and `SITE_URL` environment variable for it to work:
|
||||
set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
|
||||
|
||||
- `JWT_PROVIDER_AUTH_SECRET`: This is secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
|
||||
- `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
|
||||
- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
|
||||
</Note>
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 514 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 362 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 486 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 316 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 235 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 270 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 224 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 448 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 319 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 258 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 302 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 290 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 265 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 259 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 208 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 428 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 568 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 232 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 293 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 437 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 394 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 295 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 406 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 294 KiB |
@ -161,8 +161,12 @@
|
||||
"self-hosting/deployment-options/standalone-infisical",
|
||||
"self-hosting/deployment-options/kubernetes-helm",
|
||||
"self-hosting/deployment-options/aws-ec2",
|
||||
"self-hosting/deployment-options/gcp-cloud-run",
|
||||
"self-hosting/deployment-options/azure-app-services",
|
||||
"self-hosting/deployment-options/azure-container-instances",
|
||||
"self-hosting/deployment-options/docker-compose",
|
||||
"self-hosting/deployment-options/digital-ocean-marketplace"
|
||||
"self-hosting/deployment-options/digital-ocean-marketplace",
|
||||
"self-hosting/deployment-options/fly.io"
|
||||
]
|
||||
},
|
||||
"self-hosting/configuration/envars",
|
||||
|
||||
@ -18,15 +18,14 @@ Other environment variables are listed below to increase the functionality of yo
|
||||
Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
|
||||
</ParamField>
|
||||
|
||||
<ParamField query="MONGO_URL" type="string" default="none" required>
|
||||
*TLS based connection string is not yet supported
|
||||
</ParamField>
|
||||
<ParamField query="MONGO_URL" type="string" default="none" required>
|
||||
Mongo connection string. *TLS based connection string is not yet supported
|
||||
</ParamField>
|
||||
|
||||
<ParamField query="REDIS_URL" type="string" default="none" required>
|
||||
Redis connection string
|
||||
</ParamField>
|
||||
|
||||
</Tab>
|
||||
<ParamField query="REDIS_URL" type="string" default="none" required>
|
||||
Redis connection string
|
||||
</ParamField>
|
||||
</Tab>
|
||||
<Tab title="Email service">
|
||||
<Info>When email service is not configured, Infisical will have limited functionality</Info>
|
||||
|
||||
|
||||
71
docs/self-hosting/deployment-options/azure-app-services.mdx
Normal file
71
docs/self-hosting/deployment-options/azure-app-services.mdx
Normal file
@ -0,0 +1,71 @@
|
||||
---
|
||||
title: "Azure App Services"
|
||||
description: "Deploy Infisical with Azure App Service"
|
||||
---
|
||||
|
||||
Prerequisites:
|
||||
- Have an account with [Microsoft Azure](https://azure.microsoft.com/en-us)
|
||||
|
||||
<Steps>
|
||||
<Step title="Create a Web App in Azure App Services">
|
||||
1.1. In Azure, navigate to the **App Services** solution and press **Create > Web App**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
1.2. In the **Basics** section, specify the **Subscription** and **Resource group** to manage the deployed resource.
|
||||
|
||||
Also, give the container a friendly name like Infisical and specify a **Region** for it to be deployed to.
|
||||
|
||||
|
||||
|
||||
1.3. In the **Docker** section, select the **Single Container** option under **Options** and specify **Docker Hub** as the image source
|
||||
|
||||
Next, under the **Docker hub options** sub-section, select the **Public** option under **Access Type** and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the **Image and tag** field; this will pull the image from Docker Hub.
|
||||
|
||||
For example, in order to opt for Infisical `v0.43.4`, you would input: `infisical/infisical:v0.43.4`.
|
||||
|
||||
|
||||
|
||||
1.4. Finally, in the **Review + create** section, double check the information from the previous steps and press **Create** to create the Azure app service.
|
||||
|
||||
|
||||
|
||||
1.5. Next, wait a minute or two on the deployment overview page for the app to be created. Once the deployment is complete, press **Go to resource**
|
||||
to head to the **App Service dashboard** for the newly-created app.
|
||||
|
||||
|
||||
|
||||
1.6. Running Infisical requires a few environment variables to be set for the Azure app service.
|
||||
At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
|
||||
which you can read more about [here](/self-hosting/configuration/envars).
|
||||
|
||||
<Note>
|
||||
To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
|
||||
</Note>
|
||||
|
||||
Additionally, you must set the variable `WEBSITES_PORT=8080` since
|
||||
Infisical listens on port `8080`.
|
||||
|
||||
In the **Settings > Configuration** section of the newly-created app service, fill in the required environment variables.
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Navigate to your deployed instance of Infisical">
|
||||
In the **Overview** section, check out the **Default domain** for your instance of Infisical; you can visit the instance at this URL.
|
||||
|
||||
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<AccordionGroup>
|
||||
<Accordion title="Do you have any recommendations for deploying Infisical with Azure App Services?">
|
||||
Yes, here are a few that come to mind:
|
||||
- In step 1.3, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
|
||||
instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
|
||||
- In step 1.2, we recommend selecting a **Region** option that is closest to your infrastructure/clients to reduce latency.
|
||||
|
||||
We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
|
||||
</Accordion>
|
||||
</AccordionGroup>
|
||||
@ -0,0 +1,88 @@
|
||||
---
|
||||
title: "Azure Container Instances"
|
||||
description: "Deploy Infisical with Azure Container Instances"
|
||||
---
|
||||
|
||||
Prerequisites:
|
||||
- Have an account with [Microsoft Azure](https://azure.microsoft.com/en-us)
|
||||
|
||||
<Note>
|
||||
This brief goes over how to deploy an instance of Infisical with Azure Container Instances without TLS/SSL configuration.
|
||||
|
||||
There are various options for enabling TLS/SSL with Azure Container Instances more suitable for production including:
|
||||
- [Enabling a TLS endpoint in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-ssl).
|
||||
- [Enabling automatic HTTPS with Caddy in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-automatic-ssl).
|
||||
- Using Azure Function Proxies, Application Gateway, etc.
|
||||
|
||||
For a simpler deployment experience with complete TLS/SSL setup, you may try [deploying Infisical with Azure App Services](/self-hosting/deployment-options/azure-app-services).
|
||||
</Note>
|
||||
|
||||
<Steps>
|
||||
<Step title="Create a container instance in Azure Container Instances">
|
||||
1.1. In Azure, navigate to the **Container Instances** solution and press **Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
1.2. In the **Basics** section, specify the **Subscription** and **Resource group** to manage the deployed resource.
|
||||
|
||||
Also, give the container a friendly name like Infisical and specify a **Region** for it to be deployed to.
|
||||
|
||||
|
||||
|
||||
Next, select the **Public** option under **Image type** and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the **Image** field; this will pull the image from Docker Hub.
|
||||
|
||||
For example, in order to opt for Infisical `v0.43.4`, you would input: `infisical/infisical:v0.43.4`.
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
Depending on your use-case and requirements, you may find it helpful to further configure your Azure container instance.
|
||||
|
||||
For example, you may want to adjust the **Region** option to specify which region to deploy the container for your
|
||||
instance of Infisical to minimize distance and therefore latency between the instance and your infrastructure.
|
||||
</Note>
|
||||
|
||||
1.3. In the **Networking** section, select the **Public** option under **Networking type**; this will make the container accessible over the public internet.
|
||||
|
||||
Next, under the **Ports** section, add an entry for port `8080` and protocol `TCP`.
|
||||
|
||||
|
||||
|
||||
1.4. Running Infisical requires a few environment variables to be set for the Azure container instance.
|
||||
At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
|
||||
which you can read more about [here](/self-hosting/configuration/envars).
|
||||
|
||||
In the **Advanced** section, fill in the required environment variables.
|
||||
|
||||
<Note>
|
||||
To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
|
||||
</Note>
|
||||
|
||||
|
||||
|
||||
1.5. Finally, in the **Review + create** section, double check the information from the previous steps and press **Create** to create the Azure container instance.
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Navigate to your deployed instance of Infisical">
|
||||
Head to the **Overview** page of the newly-created container instance to view its **IP address (Public)**; you can access your instance of Infisical by this IP address under the port `:8080`.
|
||||
|
||||
For example, in the image below, the IP address of the sample deployed container instance is `4.255.87.109`; the instance would be accessible in the browser by heading to `4.255.87.109:8080`.
|
||||
|
||||
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<AccordionGroup>
|
||||
<Accordion title="Do you have any recommendations for deploying Infisical with Azure Container Instances?">
|
||||
Yes, here are a few that come to mind:
|
||||
- In step 1.2, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
|
||||
instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
|
||||
- In step 1.2, we recommend selecting a **Region** option that is closest to your infrastructure/clients to reduce latency.
|
||||
- Enable TLS/SSL with Azure Container Instances. There are various options for doing so including [enabling a TLS endpoint in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-ssl), [enabling automatic HTTPS with Caddy in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-automatic-ssl), and using Azure Function Proxies, Application Gateway, etc.
|
||||
|
||||
We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
|
||||
</Accordion>
|
||||
</AccordionGroup>
|
||||
@ -1,63 +1,108 @@
|
||||
---
|
||||
title: "Fly.io"
|
||||
description: "Learn to install Infisical on Fly.io"
|
||||
description: "Deploy Infisical with Fly.io"
|
||||
---
|
||||
|
||||
**Prerequisites**
|
||||
- Familiar with Fly.io deployment
|
||||
- Logged in via fly CLI
|
||||
Prerequisites:
|
||||
- Have an account with [Fly.io](https://fly.io/)
|
||||
- Have installed the [Fly.io CLI](https://fly.io/docs/hands-on/install-flyctl/)
|
||||
|
||||
#### 1. Make a copy of the deployment config
|
||||
To begin, you'll to make a copy of the following file on your local machine
|
||||
<Steps>
|
||||
<Step title="Create an app with Fly.io">
|
||||
In your terminal, run the following command from the source directory of your project to create a new Fly.io app
|
||||
with a `fly.toml` configuration file:
|
||||
|
||||
```
|
||||
fly launch
|
||||
```
|
||||
</Step>
|
||||
<Step title="Edit the fly.toml configuration file">
|
||||
Add a **build** section to the `fly.toml` file to specify the [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical):
|
||||
|
||||
```toml fly.toml
|
||||
# fly.toml app configuration file generated for infisical on 2023-05-05T08:57:03-04:00
|
||||
#
|
||||
# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
|
||||
#
|
||||
```
|
||||
[build]
|
||||
image = "infisical/infisical:v0.43.4"
|
||||
```
|
||||
|
||||
app = "infisical"
|
||||
primary_region = "iad"
|
||||
Afterwards, your `fly.toml` file should look similar to:
|
||||
|
||||
[build]
|
||||
image = "infisical/infisical:latest"
|
||||
```
|
||||
app = "infisical"
|
||||
primary_region = "lax"
|
||||
|
||||
[env]
|
||||
ENCRYPTION_KEY = <>
|
||||
JWT_AUTH_SECRET = <>
|
||||
JWT_REFRESH_SECRET = <>
|
||||
JWT_SERVICE_SECRET = <>
|
||||
JWT_SIGNUP_SECRET = <>
|
||||
MONGO_URL = <>
|
||||
[http_service]
|
||||
internal_port = 8080
|
||||
force_https = true
|
||||
auto_stop_machines = true
|
||||
auto_start_machines = true
|
||||
min_machines_running = 0
|
||||
processes = ["app"]
|
||||
|
||||
[http_service]
|
||||
internal_port = 8080
|
||||
[[vm]]
|
||||
cpu_kind = "shared"
|
||||
cpus = 1
|
||||
memory_mb = 1024
|
||||
|
||||
```
|
||||
[build]
|
||||
image = "infisical/infisical:v0.43.4"
|
||||
```
|
||||
|
||||
<Note>
|
||||
Depending on your use-case and requirements, you may find it helpful to further configure your `fly.toml` file
|
||||
with options [here](https://fly.io/docs/reference/configuration/).
|
||||
|
||||
#### 2. Add environment variables
|
||||
For example, you may want to adjust the `primary-region` option to specify which [region](https://fly.io/docs/reference/regions/) to create the new machine for your
|
||||
instance of Infisical to minimize distance and therefore latency between the instance and your infrastructure.
|
||||
</Note>
|
||||
|
||||
</Step>
|
||||
<Step title="Set secrets for your Fly.io app">
|
||||
Running Infisical requires a few environment variables to be set on the Fly.io machine.
|
||||
At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
|
||||
which you can read more about [here](/self-hosting/configuration/envars).
|
||||
|
||||
For this step, we recommend setting the variables as Fly.io [app secrets](https://fly.io/docs/reference/secrets/) which
|
||||
are made available to the app as environment variables. You can set the variables either via the Fly.io CLI or project [dashboard](https://fly.io/dashboard).
|
||||
|
||||
<Tabs>
|
||||
<Tab title="CLI">
|
||||
Run the following command (with each `VALUE` replaced) in the source directory of your project to set the required variables:
|
||||
|
||||
Before we can deploy Infisical, we'll need to provide values for the keys under `[env]` config block. For each of the following keys
|
||||
```
|
||||
flyctl secrets set ENCRYPTION_KEY=VALUE AUTH_SECRET=VALUE MONGO_URL=VALUE REDIS_URL=VALUE...
|
||||
```
|
||||
</Tab>
|
||||
<Tab title="Dashboard">
|
||||
In Fly.io, head to your Project > Secrets and add the required variables.
|
||||
|
||||
- `ENCRYPTION_KEY`
|
||||
- `JWT_AUTH_SECRET`
|
||||
- `JWT_REFRESH_SECRET`
|
||||
- `JWT_SERVICE_SECRET`
|
||||
- `JWT_SIGNUP_SECRET`
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
<Note>
|
||||
To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
|
||||
</Note>
|
||||
</Step>
|
||||
<Step title="Deploy the Fly.io app">
|
||||
Finally, run the following command in the source directory of your project to deploy your Infisical instance on Fly.io
|
||||
with the updated `fly.toml` configuration file from step 2 and secrets from step 3:
|
||||
|
||||
you will need to generate a random 16 byte hex string. This can can be generated with `openssl rand -hex 16`.
|
||||
```
|
||||
fly deploy
|
||||
```
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<AccordionGroup>
|
||||
<Accordion title="Do you have any recommendations for deploying Infisical with Fly.io?">
|
||||
Yes, here are a few that come to mind:
|
||||
- In step 2, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
|
||||
instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
|
||||
- In step 2, we recommend selecting a `primary_region` option that is closest to your infrastructure/clients to reduce latency; a full list of regions supported by Fly.io can be found [here](https://fly.io/docs/reference/regions/).
|
||||
|
||||
We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
|
||||
</Accordion>
|
||||
</AccordionGroup>
|
||||
|
||||
Lastly, the `MONGO_URL` environment variable requires a document database connection URL.
|
||||
You can obtain this URL by creating a document database using services such as [MongoDB](https://www.mongodb.com/), [AWS DocumentDB](https://aws.amazon.com/documentdb/), and others.
|
||||
|
||||
#### 3. Deploy
|
||||
|
||||
Run `fly launch` in the directory where you have the local version of config from step 1 and follow the instructions.
|
||||
Once done, your very own instance of Infisical should be up and running on Fly.io.
|
||||
|
||||
Please note that this version of Infisical requires at least 250MB of memory to operate smoothly.
|
||||
|
||||
<Info>
|
||||
Once installation is complete, you will have to create the first account. No default account is provided.
|
||||
</Info>
|
||||
Resources:
|
||||
- [Fly.io documentation](https://fly.io/docs/)
|
||||
68
docs/self-hosting/deployment-options/gcp-cloud-run.mdx
Normal file
68
docs/self-hosting/deployment-options/gcp-cloud-run.mdx
Normal file
@ -0,0 +1,68 @@
|
||||
---
|
||||
title: "GCP Cloud Run"
|
||||
description: "Deploy Infisical with GCP Cloud Run"
|
||||
---
|
||||
|
||||
Prerequisites:
|
||||
- Have an account with [Google Cloud Platform (GCP)](https://cloud.google.com/)
|
||||
|
||||
<Steps>
|
||||
<Step title="Create a project in GCP">
|
||||
In GCP, create a new project and give it a friendly name like Infisical.
|
||||
|
||||
|
||||
|
||||
|
||||
</Step>
|
||||
<Step title="Create a service in GCP Cloud Run">
|
||||
2.1. Inside the GCP project, navigate to the **Cloud Run** product and create a new service.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2.2. In the service creation form, select the **Deploy one revision from an existing container image** option and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the container image URL.
|
||||
|
||||
For example, in order to opt for Infisical `v0.43.4`, you would input: `docker.io/infisical/infisical:v0.43.4`.
|
||||
|
||||
|
||||
|
||||
2.3. Running Infisical requires a few environment variables to be set for the GCP Cloud Run service.
|
||||
At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
|
||||
which you can read more about [here](/self-hosting/configuration/envars).
|
||||
|
||||
For this step, fill in the required environment variables in the Edit Container > Variables & Secrets > Environment variables section.
|
||||
|
||||
<Note>
|
||||
To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
|
||||
</Note>
|
||||
|
||||
|
||||
|
||||
<Note>
|
||||
Depending on your use-case and requirements, you may find it helpful to further configure your GCP Cloud Run service.
|
||||
|
||||
For example, you may want to adjust the **Region** option to specify which region to deploy the underlying container for your
|
||||
instance of Infisical to minimize distance and therefore latency between the instance and your infrastructure.
|
||||
</Note>
|
||||
|
||||
Finally, press **Create** to finish setting up the GCP Cloud Run service.
|
||||
</Step>
|
||||
<Step title="Navigate to your deployed instance of Infisical">
|
||||
Head to the **Service details** of the newly-created service to view its URL; you can access your instance of Infisical by clicking on the URL.
|
||||
|
||||
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
<AccordionGroup>
|
||||
<Accordion title="Do you have any recommendations for deploying Infisical with GCP Cloud Run?">
|
||||
Yes, here are a few that come to mind:
|
||||
- In step 2, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
|
||||
instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
|
||||
- In step 2, we recommend selecting a **Region** option that is closest to your infrastructure/clients to reduce latency.
|
||||
|
||||
We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
|
||||
</Accordion>
|
||||
</AccordionGroup>
|
||||
|
||||
@ -24,25 +24,23 @@ docker pull infisical/infisical:latest
|
||||
## Run with docker
|
||||
To run Infisical, we'll need to configure the required configs listed below.
|
||||
Other configs can be found [here](../configuration/envars)
|
||||
|
||||
|
||||
<ParamField query="ENCRYPTION_KEY" type="string" default="none" required>
|
||||
Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
|
||||
</ParamField>
|
||||
|
||||
<ParamField query="AUTH_SECRET" type="string" default="none" required>
|
||||
Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
|
||||
Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
|
||||
</ParamField>
|
||||
|
||||
<ParamField query="MONGO_URL" type="string" default="none" required>
|
||||
A MongoDB connection string. Can use any MongoDB PaaS such as Mongo Atlas, AWS Document DB, etc.
|
||||
*TLS based connection string is not yet supported
|
||||
</ParamField>
|
||||
|
||||
<ParamField query="REDIS_URL" type="string" default="none">
|
||||
Redis connection string. Only required if you plan to use web integrations or secret reminders.
|
||||
<ParamField query="REDIS_URL" type="string" default="none" required>
|
||||
Redis connection string
|
||||
</ParamField>
|
||||
|
||||
|
||||
Once you have added the required environment variables to your docker run command, execute it in your terminal.
|
||||
|
||||
```bash
|
||||
|
||||
@ -33,10 +33,38 @@ Choose from a variety of deployment options listed below to get started.
|
||||
Install Infisical using our Docker Compose template
|
||||
</Card>
|
||||
<Card
|
||||
title="Kubernetes"
|
||||
color="#ea5a0c"
|
||||
href="deployment-options/kubernetes-helm"
|
||||
>
|
||||
title="Kubernetes"
|
||||
color="#ea5a0c"
|
||||
href="deployment-options/kubernetes-helm"
|
||||
>
|
||||
Use our Helm chart to Install Infisical on your Kubernetes cluster
|
||||
</Card>
|
||||
</Card>
|
||||
<Card
|
||||
title="Fly.io"
|
||||
color="#ea5a0c"
|
||||
href="deployment-options/fly.io"
|
||||
>
|
||||
Deploy Infisical with Fly.io
|
||||
</Card>
|
||||
<Card
|
||||
title="GCP Cloud Run"
|
||||
color="#ea5a0c"
|
||||
href="deployment-options/gcp-cloud-run"
|
||||
>
|
||||
Deploy Infisical with GCP Cloud Run
|
||||
</Card>
|
||||
<Card
|
||||
title="Azure App Services"
|
||||
color="#ea5a0c"
|
||||
href="deployment-options/azure-app-services"
|
||||
>
|
||||
Deploy Infisical with Azure App Services
|
||||
</Card>
|
||||
<Card
|
||||
title="Azure Container Instances"
|
||||
color="#ea5a0c"
|
||||
href="deployment-options/azure-container-instances"
|
||||
>
|
||||
Deploy Infisical with Azure Container Instances
|
||||
</Card>
|
||||
</CardGroup>
|
||||
|
||||
@ -63,7 +63,7 @@ export const SecretApprovalRequest = () => {
|
||||
(prev, curr) => ({ ...prev, [curr._id]: curr }),
|
||||
{}
|
||||
);
|
||||
const myMembershipId = members?.find(({ user }) => user._id === presentUser._id)?._id;
|
||||
const myMembershipId = members?.find(({ user }) => user._id === presentUser?._id)?._id;
|
||||
const isSecretApprovalScreen = Boolean(selectedApproval);
|
||||
|
||||
const handleGoBackSecretRequestDetail = () => {
|
||||
@ -101,7 +101,7 @@ export const SecretApprovalRequest = () => {
|
||||
exit={{ opacity: 0, translateX: 30 }}
|
||||
className="rounded-md text-gray-300"
|
||||
>
|
||||
<div className="p-4 px-8 flex items-center space-x-8 bg-mineshaft-800 rounded-t-md border-t border-x border-mineshaft-600">
|
||||
<div className="flex items-center space-x-8 rounded-t-md border-x border-t border-mineshaft-600 bg-mineshaft-800 p-4 px-8">
|
||||
<div
|
||||
role="button"
|
||||
tabIndex={0}
|
||||
@ -110,7 +110,7 @@ export const SecretApprovalRequest = () => {
|
||||
if (evt.key === "Enter") setStatusFilter("open");
|
||||
}}
|
||||
className={
|
||||
statusFilter === "close" ? "text-gray-500 hover:text-gray-400 duration-100" : ""
|
||||
statusFilter === "close" ? "text-gray-500 duration-100 hover:text-gray-400" : ""
|
||||
}
|
||||
>
|
||||
<FontAwesomeIcon icon={faCodeBranch} className="mr-2" />
|
||||
@ -118,7 +118,7 @@ export const SecretApprovalRequest = () => {
|
||||
</div>
|
||||
<div
|
||||
className={
|
||||
statusFilter === "open" ? "text-gray-500 hover:text-gray-400 duration-100" : ""
|
||||
statusFilter === "open" ? "text-gray-500 duration-100 hover:text-gray-400" : ""
|
||||
}
|
||||
role="button"
|
||||
tabIndex={0}
|
||||
@ -130,7 +130,7 @@ export const SecretApprovalRequest = () => {
|
||||
<FontAwesomeIcon icon={faCheck} className="mr-2" />
|
||||
{isSecretApprovalReqCountSuccess && secretApprovalRequestCount.closed} Closed
|
||||
</div>
|
||||
<div className="flex-grow flex justify-end space-x-8">
|
||||
<div className="flex flex-grow justify-end space-x-8">
|
||||
<DropdownMenu>
|
||||
<DropdownMenuTrigger>
|
||||
<Button
|
||||
@ -185,7 +185,7 @@ export const SecretApprovalRequest = () => {
|
||||
</DropdownMenu>
|
||||
</div>
|
||||
</div>
|
||||
<div className="flex flex-col border-t border-mineshaft-600 bg-mineshaft-800 rounded-b-md border-b border-x border-mineshaft-600">
|
||||
<div className="flex flex-col rounded-b-md border-x border-t border-b border-mineshaft-600 border-mineshaft-600 bg-mineshaft-800">
|
||||
{isRequestListEmpty && (
|
||||
<div className="py-12">
|
||||
<EmptyState title="No more requests pending." />
|
||||
@ -246,9 +246,9 @@ export const SecretApprovalRequest = () => {
|
||||
>
|
||||
<div className="mb-2 flex items-center">
|
||||
<FontAwesomeIcon icon={faCodeBranch} className="mr-2" />
|
||||
<Skeleton className="bg-mineshaft-600 w-1/4" />
|
||||
<Skeleton className="w-1/4 bg-mineshaft-600" />
|
||||
</div>
|
||||
<Skeleton className="bg-mineshaft-600 w-1/2" />
|
||||
<Skeleton className="w-1/2 bg-mineshaft-600" />
|
||||
</div>
|
||||
))}
|
||||
</div>
|
||||
|
||||
@ -22,6 +22,7 @@ type Props = {
|
||||
isMergable?: boolean;
|
||||
status: "close" | "open";
|
||||
approvals: number;
|
||||
canApprove?: boolean;
|
||||
statusChangeByEmail: string;
|
||||
workspaceId: string;
|
||||
};
|
||||
@ -33,7 +34,8 @@ export const SecretApprovalRequestAction = ({
|
||||
isMergable,
|
||||
approvals,
|
||||
statusChangeByEmail,
|
||||
workspaceId
|
||||
workspaceId,
|
||||
canApprove
|
||||
}: Props) => {
|
||||
const { createNotification } = useNotificationContext();
|
||||
const { mutateAsync: performSecretApprovalMerge, isLoading: isMerging } =
|
||||
@ -83,11 +85,11 @@ export const SecretApprovalRequestAction = ({
|
||||
|
||||
if (!hasMerged && status === "open") {
|
||||
return (
|
||||
<div className="flex justify-between items-center w-full">
|
||||
<div className="flex space-x-4 items-start">
|
||||
<div className="flex w-full items-center justify-between">
|
||||
<div className="flex items-start space-x-4">
|
||||
<FontAwesomeIcon
|
||||
icon={isMergable ? faSquareCheck : faSquareXmark}
|
||||
className={twMerge("text-2xl pt-1", isMergable ? "text-primary" : "text-red-600")}
|
||||
className={twMerge("pt-1 text-2xl", isMergable ? "text-primary" : "text-red-600")}
|
||||
/>
|
||||
<span className="flex flex-col">
|
||||
{isMergable ? "Good to merge" : "Review required"}
|
||||
@ -98,25 +100,31 @@ export const SecretApprovalRequestAction = ({
|
||||
</span>
|
||||
</div>
|
||||
<div className="flex items-center space-x-2">
|
||||
<Button
|
||||
onClick={() => handleSecretApprovalStatusChange("close")}
|
||||
isLoading={isStatusChanging}
|
||||
variant="outline_bg"
|
||||
colorSchema="secondary"
|
||||
leftIcon={<FontAwesomeIcon icon={faClose} />}
|
||||
>
|
||||
Close request
|
||||
</Button>
|
||||
<Button
|
||||
leftIcon={<FontAwesomeIcon icon={faCheck} />}
|
||||
isDisabled={!isMergable}
|
||||
isLoading={isMerging}
|
||||
onClick={handleSecretApprovalRequestMerge}
|
||||
colorSchema="primary"
|
||||
variant="solid"
|
||||
>
|
||||
Merge
|
||||
</Button>
|
||||
{canApprove ? (
|
||||
<>
|
||||
<Button
|
||||
onClick={() => handleSecretApprovalStatusChange("close")}
|
||||
isLoading={isStatusChanging}
|
||||
variant="outline_bg"
|
||||
colorSchema="secondary"
|
||||
leftIcon={<FontAwesomeIcon icon={faClose} />}
|
||||
>
|
||||
Close request
|
||||
</Button>
|
||||
<Button
|
||||
leftIcon={<FontAwesomeIcon icon={faCheck} />}
|
||||
isDisabled={!isMergable}
|
||||
isLoading={isMerging}
|
||||
onClick={handleSecretApprovalRequestMerge}
|
||||
colorSchema="primary"
|
||||
variant="solid"
|
||||
>
|
||||
Merge
|
||||
</Button>
|
||||
</>
|
||||
) : (
|
||||
<div>Only approvers can merge</div>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
);
|
||||
@ -124,9 +132,9 @@ export const SecretApprovalRequestAction = ({
|
||||
|
||||
if (hasMerged && status === "close")
|
||||
return (
|
||||
<div className="flex justify-between items-center w-full">
|
||||
<div className="flex space-x-4 items-start">
|
||||
<FontAwesomeIcon icon={faCheck} className="text-2xl text-primary pt-1" />
|
||||
<div className="flex w-full items-center justify-between">
|
||||
<div className="flex items-start space-x-4">
|
||||
<FontAwesomeIcon icon={faCheck} className="pt-1 text-2xl text-primary" />
|
||||
<span className="flex flex-col">
|
||||
Change request merged
|
||||
<span className="inline-block text-xs text-bunker-200">
|
||||
@ -138,9 +146,9 @@ export const SecretApprovalRequestAction = ({
|
||||
);
|
||||
|
||||
return (
|
||||
<div className="flex justify-between items-center w-full">
|
||||
<div className="flex space-x-4 items-start">
|
||||
<FontAwesomeIcon icon={faUserLock} className="text-2xl text-primary pt-1" />
|
||||
<div className="flex w-full items-center justify-between">
|
||||
<div className="flex items-start space-x-4">
|
||||
<FontAwesomeIcon icon={faUserLock} className="pt-1 text-2xl text-primary" />
|
||||
<span className="flex flex-col">
|
||||
Change request has been closed
|
||||
<span className="inline-block text-xs text-bunker-200">
|
||||
|
||||
@ -108,6 +108,7 @@ export const SecretApprovalRequestChanges = ({
|
||||
({ user: membershipUser }) => membershipUser.email === user.email
|
||||
);
|
||||
const myMembershipId = myMembership?._id || "";
|
||||
const canApprove = secretApprovalRequestDetails?.policy?.approvers?.includes(myMembershipId);
|
||||
const reviewedMembers = secretApprovalRequestDetails?.reviewers?.reduce<
|
||||
Record<string, ApprovalStatus>
|
||||
>(
|
||||
@ -164,30 +165,30 @@ export const SecretApprovalRequestChanges = ({
|
||||
return (
|
||||
<div className="flex space-x-6">
|
||||
<div className="flex-grow">
|
||||
<div className="flex items-center space-x-4 pt-2 pb-6 sticky top-0 z-20 bg-bunker-800">
|
||||
<div className="sticky top-0 z-20 flex items-center space-x-4 bg-bunker-800 pt-2 pb-6">
|
||||
<IconButton variant="outline_bg" ariaLabel="go-back" onClick={onGoBack}>
|
||||
<FontAwesomeIcon icon={faArrowLeft} />
|
||||
</IconButton>
|
||||
<div className="bg-red-600 text-white flex items-center space-x-2 px-4 py-2 rounded-3xl">
|
||||
<div className="flex items-center space-x-2 rounded-3xl bg-red-600 px-4 py-2 text-white">
|
||||
<FontAwesomeIcon icon={faCodeBranch} size="sm" />
|
||||
<span>{secretApprovalRequestDetails.status}</span>
|
||||
</div>
|
||||
<div className="flex flex-col flex-grow">
|
||||
<div className="text-lg mb-1">
|
||||
<div className="flex flex-grow flex-col">
|
||||
<div className="mb-1 text-lg">
|
||||
{generateCommitText(secretApprovalRequestDetails.commits)}
|
||||
</div>
|
||||
<div className="text-sm text-bunker-300 flex items-center">
|
||||
<div className="flex items-center text-sm text-bunker-300">
|
||||
{committer?.user?.firstName}
|
||||
{committer?.user?.lastName} ({committer?.user?.email}) wants to change{" "}
|
||||
{secretApprovalRequestDetails.commits.length} secret values in
|
||||
<span className="text-primary-300 bg-primary-600/60 px-1 mx-1 rounded">
|
||||
<span className="mx-1 rounded bg-primary-600/60 px-1 text-primary-300">
|
||||
{secretApprovalRequestDetails.environment}
|
||||
</span>
|
||||
<div className="flex items-center border border-mineshaft-500 pl-1 pr-2 rounded w-min">
|
||||
<div className="flex w-min items-center rounded border border-mineshaft-500 pl-1 pr-2">
|
||||
<div className="border-r border-mineshaft-500 pr-1">
|
||||
<FontAwesomeIcon icon={faFolder} className="text-primary" size="sm" />
|
||||
</div>
|
||||
<div className="text-sm pl-2 pb-0.5">{secretApprovalRequestDetails.secretPath}</div>
|
||||
<div className="pl-2 pb-0.5 text-sm">{secretApprovalRequestDetails.secretPath}</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
@ -198,7 +199,7 @@ export const SecretApprovalRequestChanges = ({
|
||||
leftIcon={hasApproved && <FontAwesomeIcon icon={faCheck} />}
|
||||
onClick={() => handleSecretApprovalStatusUpdate(ApprovalStatus.APPROVED)}
|
||||
isLoading={isApproving}
|
||||
isDisabled={isApproving || hasApproved}
|
||||
isDisabled={isApproving || hasApproved || !canApprove}
|
||||
>
|
||||
{hasApproved ? "Approved" : "Approve"}
|
||||
</Button>
|
||||
@ -208,7 +209,7 @@ export const SecretApprovalRequestChanges = ({
|
||||
leftIcon={hasRejected && <FontAwesomeIcon icon={faCheck} />}
|
||||
onClick={() => handleSecretApprovalStatusUpdate(ApprovalStatus.REJECTED)}
|
||||
isLoading={isRejecting}
|
||||
isDisabled={isRejecting || hasRejected}
|
||||
isDisabled={isRejecting || hasRejected || !canApprove}
|
||||
>
|
||||
{hasRejected ? "Rejected" : "Reject"}
|
||||
</Button>
|
||||
@ -230,8 +231,9 @@ export const SecretApprovalRequestChanges = ({
|
||||
)
|
||||
)}
|
||||
</div>
|
||||
<div className="flex items-center px-5 py-6 rounded-lg space-x-6 bg-mineshaft-800 mt-8">
|
||||
<div className="mt-8 flex items-center space-x-6 rounded-lg bg-mineshaft-800 px-5 py-6">
|
||||
<SecretApprovalRequestAction
|
||||
canApprove={canApprove}
|
||||
approvalRequestId={secretApprovalRequestDetails._id}
|
||||
hasMerged={hasMerged}
|
||||
approvals={secretApprovalRequestDetails.policy.approvals || 0}
|
||||
@ -244,7 +246,7 @@ export const SecretApprovalRequestChanges = ({
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
<div className="w-1/5 pt-4 sticky top-0" style={{ minWidth: "240px" }}>
|
||||
<div className="sticky top-0 w-1/5 pt-4" style={{ minWidth: "240px" }}>
|
||||
<div className="text-sm text-bunker-300">Reviewers</div>
|
||||
<div className="mt-2 flex flex-col space-y-2 text-sm">
|
||||
{secretApprovalRequestDetails?.policy?.approvers.map((requiredApproverId) => {
|
||||
@ -252,7 +254,7 @@ export const SecretApprovalRequestChanges = ({
|
||||
const status = reviewedMembers?.[requiredApproverId];
|
||||
return (
|
||||
<div
|
||||
className="flex items-center space-x-2 flex-nowrap bg-mineshaft-800 px-2 py-1 rounded"
|
||||
className="flex flex-nowrap items-center space-x-2 rounded bg-mineshaft-800 px-2 py-1"
|
||||
key={`required-approver-${requiredApproverId}`}
|
||||
>
|
||||
<div className="flex-grow text-sm">
|
||||
@ -278,7 +280,7 @@ export const SecretApprovalRequestChanges = ({
|
||||
const status = reviewedMembers?.[reviewer.status];
|
||||
return (
|
||||
<div
|
||||
className="flex items-center space-x-2 flex-nowrap bg-mineshaft-800 px-2 py-1 rounded"
|
||||
className="flex flex-nowrap items-center space-x-2 rounded bg-mineshaft-800 px-2 py-1"
|
||||
key={`required-approver-${reviewer.member}`}
|
||||
>
|
||||
<div className="flex-grow text-sm">
|
||||
|
||||
@ -13,7 +13,7 @@ type: application
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.3.2
|
||||
version: 0.3.3
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
# follow Semantic Versioning. They should reflect the version the application is using.
|
||||
|
||||
@ -13,6 +13,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
ctrl "sigs.k8s.io/controller-runtime"
|
||||
)
|
||||
|
||||
const SERVICE_ACCOUNT_ACCESS_KEY = "serviceAccountAccessKey"
|
||||
@ -159,7 +160,13 @@ func (r *InfisicalSecretReconciler) CreateInfisicalManagedKubeSecret(ctx context
|
||||
Data: plainProcessedSecrets,
|
||||
}
|
||||
|
||||
err := r.Client.Create(ctx, newKubeSecretInstance)
|
||||
// Set InfisicalSecret instance as the owner and controller
|
||||
err := ctrl.SetControllerReference(&infisicalSecret, newKubeSecretInstance, r.Scheme)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = r.Client.Create(ctx, newKubeSecretInstance)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to create the managed Kubernetes secret : %w", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user