Pular para o conteúdo principal

Servidor do Infisical

Configurar Banco de Dados

Role infisical

Criação do secret:

apiVersion: v1
kind: Secret
type: kubernetes.io/basic-auth
metadata:
  name: db-role-infisical-secret
  namespace: default
  labels:
    cnpg.io/reload: "true"
data:
  username: aW5maXNpY2Fs
  password: <senha segura gerada aleatóriamente>

Geração da senha segura do usuário infisical:

openssl rand -hex 16 | tr -d '\n' | base64 | xclip -sel copy

Configurar Cluster PG para gerenciar o usuário infisical:

cluster.yml
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cluster-postgres
  namespace: default
spec:
  # [...]
  managed:
    roles:
      - name: infisical
        ensure: present
        superuser: false
        passwordSecret:
          name: db-role-infisical-secret

Banco infisical

apiVersion: postgresql.cnpg.io/v1
kind: Database
metatada:
  name: db-infisical
  namespace: default
spec:
  cluster:
    name: cluster-postgres
  name: infisical
  owner: infisical
  ensure: present

Deploy do Infisical

Kubernetes via Helm Chart - Infisical

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
helm repo update
kubectl create namespace infisical;

Gerar Chaves Seguras do Infisical

Chave de Encriptação

openssl rand -hex 16 | tr -d '\n' | xclip -sel copy

Chave de Autenticação

openssl rand -base64 32 | tr -d '\n' | xclip -sel copy
infisical.env
PORT=8080
SITE_URL=https://infisical.ladesa.com.br

TELEMETRY_ENABLED=true

REDIS_URL=redis://:<redis-password>@redis-server.redis-server.svc.cluster.local:6379/0
DB_CONNECTION_URI=postgres://infisical:<infisical role password>@cluster-postgres-rw.default.svc.cluster.local/infisical

ENCRYPTION_KEY=<encryption key>
AUTH_SECRET=<auth key>
kubectl create secret generic infisical-secrets \
  -n infisical \
  --from-env-file=./infisical.env \
  --dry-run=client \
  -o yaml \
  | kubectl apply -f -;
values.yml
nameOverride: "infisical"
fullnameOverride: "infisical"

infisical:
  enabled: true
  name: infisical
  autoDatabaseSchemaMigration: true
  fullnameOverride: ""
  podAnnotations: {}
  deploymentAnnotations: {}
  replicaCount: 6

  image:
    repository: infisical/infisical
    tag: "v0.99.0-postgres"
    pullPolicy: IfNotPresent

  affinity: {}
  kubeSecretRef: "infisical-secrets"
  service:
    annotations: {}
    type: ClusterIP
    nodePort: ""

  resources:
    limits:
      memory: 2Gi
    requests:
      memory: 1Gi
      cpu: 200m

ingress:
  enabled: true
  hostName: "infisical.ladesa.com.br"
  ingressClassName: traefik
  nginx:
    enabled: false

postgresql:
  enabled: false

redis:
  enabled: false
helm upgrade --install --create-namespace infisical infisical-helm-charts/infisical-standalone --namespace infisical --values values.yaml