docs: requested changes

docs: better k8s pre-req
docs: small k8s docs improvements
2025-07-11 12:11:38 +00:00 · 2025-01-13 14:35:36 +01:00 · 2025-01-10 20:16:30 +01:00 · 2025-01-10 20:10:00 +01:00
7 changed files with 53 additions and 57 deletions
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@ -1289,10 +1289,7 @@ const syncSecretsAWSSecretManager = async ({

  if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
    for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value, value.secretMetadata).catch((error) => {
-        error.secretKey = key;
-        throw error;
-      });
+      await processAwsSecret(key, value.value, value.secretMetadata);
    }
  } else {
    await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
--- a/backend/src/services/integration-auth/integration-team.ts
+++ b/backend/src/services/integration-auth/integration-team.ts
@ -1,5 +1,3 @@
-import { AxiosResponse } from "axios";
-
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";

@ -13,27 +11,19 @@ const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken:
  const gitLabApiUrl = url ? `${url}/api` : IntegrationUrls.GITLAB_API_URL;

  let teams: Team[] = [];
-  let page: number = 1;
-  while (page > 0) {
-    // eslint-disable-next-line no-await-in-loop
-    const { data, headers }: AxiosResponse<{ name: string; id: string }[]> = await request.get(
-      `${gitLabApiUrl}/v4/groups?page=${page}`,
-      {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json"
-        }
+  const res = (
+    await request.get<{ name: string; id: string }[]>(`${gitLabApiUrl}/v4/groups`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
      }
-    );
+    })
+  ).data;

-    page = Number(headers["x-next-page"] ?? "");
-    teams = teams.concat(
-      data.map((t) => ({
-        name: t.name,
-        id: t.id.toString()
-      }))
-    );
-  }
+  teams = res.map((t) => ({
+    name: t.name,
+    id: t.id.toString()
+  }));

  return teams;
 };
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@ -971,8 +971,6 @@ export const secretQueueFactory = ({
              });
            }

-            const { secretKey } = (err as { secretKey: string }) || {};
-
            const message =
              // eslint-disable-next-line no-nested-ternary
              (err instanceof AxiosError
@ -981,8 +979,6 @@ export const secretQueueFactory = ({
                  : err?.message
                : (err as Error)?.message) || "Unknown error occurred.";

-            const errorLog = `${secretKey ? `[Secret Key: ${secretKey}] ` : ""}${message}`;
-
            await auditLogService.createAuditLog({
              projectId,
              actor: await $generateActor(actorId, isManual),
@ -993,7 +989,7 @@ export const secretQueueFactory = ({
                  isSynced: false,
                  lastSyncJobId: job?.id ?? "",
                  lastUsed: new Date(),
-                  syncMessage: errorLog
+                  syncMessage: message
                }
              }
            });
@ -1005,13 +1001,13 @@ export const secretQueueFactory = ({

            await integrationDAL.updateById(integration.id, {
              lastSyncJobId: job.id,
-              syncMessage: errorLog,
+              syncMessage: message,
              isSynced: false
            });

            integrationsFailedToSync.push({
              integrationId: integration.id,
-              syncMessage: errorLog
+              syncMessage: message
            });
          }
        }
--- a/cli/packages/cmd/run.go
+++ b/cli/packages/cmd/run.go
@ -419,23 +419,22 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt

 	for {
 		<-recheckSecretsChannel
-		func() {
-			watchMutex.Lock()
-			defer watchMutex.Unlock()
+		watchMutex.Lock()

-			newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
-			if err != nil {
-				log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
-				return
-			}
+		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
+		if err != nil {
+			log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
+			continue
+		}

-			if newEnvironmentVariables.ETag != currentETag {
-				runCommandWithWatcher(newEnvironmentVariables)
-			} else {
-				log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
-			}
+		if newEnvironmentVariables.ETag != currentETag {
+			runCommandWithWatcher(newEnvironmentVariables)
+		} else {
+			log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
+		}
+
+		watchMutex.Unlock()

-		}()
 	}
 }

--- a/docs/integrations/platforms/kubernetes/infisical-dynamic-secret-crd.mdx
+++ b/docs/integrations/platforms/kubernetes/infisical-dynamic-secret-crd.mdx
@ -1,6 +1,6 @@
 ---
 sidebarTitle: "InfisicalDynamicSecret CRD"
-title: "InfisicalDynamicSecret CRD"
+title: "Using the InfisicalDynamicSecret CRD"
 description: "Learn how to generate dynamic secret leases in Infisical and sync them to your Kubernetes cluster."
 ---
 ## Overview 
@ -15,8 +15,10 @@ This CRD offers the following features:
 - **Optionally trigger redeployments** of any workloads that consume the secret if you enable auto-reload.

 ### Prerequisites
- The operator is installed on to your Kubernetes cluster
- You have already configured a dynamic secret in Infisical
+- A project within Infisical.
+- A [machine identity](/docs/documentation/platform/identities/overview) ready for use in Infisical that has permissions to create dynamic secret leases in the project.
+- You have already configured a dynamic secret in Infisical.
+- The operator is installed on to your Kubernetes cluster.

 ## Configure Dynamic Secret CRD

--- a/docs/integrations/platforms/kubernetes/infisical-push-secret-crd.mdx
+++ b/docs/integrations/platforms/kubernetes/infisical-push-secret-crd.mdx
@ -5,10 +5,22 @@ description: "Learn how to use the InfisicalPushSecret CRD to push and manage se
 ---


-## Push Secrets to Infisical
+## Overview 
+
+The **InfisicalPushSecret** CRD allows you to create secrets in your Kubernetes cluster and push them to Infisical. 


-### Example usage
+This CRD offers the following features:
+- **Push Secrets** from a Kubernetes secret into Infisical.
+- **Manage secret lifecycle** of pushed secrets in Infisical. When the Kubernetes secret is updated, the operator will automatically update the secrets in Infisical. Optionally, when the Kubernetes secret is deleted, the operator will delete the secrets in Infisical automatically.
+
+### Prerequisites
+
+- A project within Infisical.
+- A [machine identity](/docs/documentation/platform/identities/overview) ready for use in Infisical that has permissions to create secrets in your project.
+- The operator is installed on to your Kubernetes cluster.
+
+## Example usage

 Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.

@ -89,7 +101,7 @@ After applying the soruce-secret.yaml file, you are ready to apply the Infisical
 After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.


-### InfisicalPushSecret CRD properties
+## InfisicalPushSecret CRD properties

 <Accordion title="hostAPI">
  If you are fetching secrets from a self-hosted instance of Infisical set the value of `hostAPI` to 
@ -272,7 +284,7 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y

  </Accordion>
  <Accordion title="kubernetesAuth">
-    The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
+    The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalPushSecret resource. This authentication method can only be used within a Kubernetes environment.
    [Read more about Kubernetes Auth](/documentation/platform/identities/kubernetes-auth).
    Valid fields:
    - `identityId`: The identity ID of the machine identity you created.
@ -326,7 +338,7 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
    ```
  </Accordion>
  <Accordion title="gcpIamAuth">
-    The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
+    The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalPushSecret resource. This authentication method can only be used both within and outside GCP environments.
    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).


@ -344,7 +356,7 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
    ```
  </Accordion>
  <Accordion title="gcpIdTokenAuth">
-    The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
+    The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalPushSecret resource. This authentication method can only be used within GCP environments.
    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).

    Valid fields:
@ -389,7 +401,7 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
 </Accordion>


-### Applying the InfisicalPushSecret CRD to your cluster
+## Applying the InfisicalPushSecret CRD to your cluster

 Once you have configured the `InfisicalPushSecret` CRD with the required fields, you can apply it to your cluster.
 After applying, you should notice that the secrets have been pushed to Infisical.
--- a/docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx
+++ b/docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx
@ -1,6 +1,6 @@
 ---
 sidebarTitle: "InfisicalSecret CRD"
-title: "InfisicalSecret CRD"
+title: "Using the InfisicalSecret CRD"
 description: "Learn how to use the InfisicalSecret CRD to fetch secrets from Infisical and store them as native Kubernetes secret resource"
 ---
Author	SHA1	Message	Date
Daniel Hougaard	6487c83bda	docs: requested changes	2025-01-13 14:35:36 +01:00
Daniel Hougaard	956fb2efb4	docs: better k8s pre-req	2025-01-10 20:16:30 +01:00
Daniel Hougaard	13894261ce	docs: small k8s docs improvements	2025-01-10 20:10:00 +01:00