ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1036fce55ed4736d1efd62ce4c69a5ff55ec414b
agentguard-ci/docs/improvements/infisical-crd-refactor.md
T
Elizabeth W d8ee53395a infiniscal refactor
2026-04-19 22:55:19 -06:00

2.3 KiB
Raw Blame History

Improvement Plan: Refactor Infisical Secrets to Native CRD

Objective

The previous implementation used a Mutating Webhook (Infisical Agent Injector) and an initContainer polling loop to wait for secrets to be injected into the Argo Workflow pods. Best practices indicate this causes race conditions and ArgoCD "OutOfSync" issues. We need to refactor the pipeline to use the native InfisicalSecret CRD and standard Kubernetes secretKeyRef environment variables.

Requirements

  • Remove Webhook Logic: Strip out any Infisical annotations (e.g., secrets.infisical.com/auto-reload) from the Argo Workflows pod metadata.
  • Remove initContainer: Delete the initContainer polling logic that was waiting for environment variables to populate.
  • Create InfisicalSecret CRD: Create a new Helm template (e.g., helm/templates/infisical-secret.yaml) defining an InfisicalSecret resource. This resource should sync the required secrets (Socket.dev API key, Pulumi credentials, S3/MinIO credentials, DefectDojo API keys) into a standard Kubernetes Secret (e.g., named amp-security-pipeline-secrets).
  • Update Workflow Tasks: Modify the ClusterWorkflowTemplate (and any other files where tasks are defined). Instead of expecting the webhook to inject the secrets directly, configure the task containers to pull their required environment variables using native Kubernetes syntax: 
    env:
  - name: SOCKET_DEV_API_KEY
    valueFrom:
      secretKeyRef:
        name: amp-security-pipeline-secrets
        key: SOCKET_DEV_API_KEY

Agent Instructions

  1. Find and open the implemented ClusterWorkflowTemplate and task definition YAML files in helm/templates/.
  2. Find and remove all instances of the initContainer secret-waiting logic.
  3. Find and remove all Infisical mutating webhook annotations from the workflow/pod templates.
  4. Create a new file helm/templates/infisical-secret.yaml defining the InfisicalSecret CRD. Make sure it targets the necessary secrets for Socket.dev, Pulumi, Storage, and DefectDojo.
  5. Update the scan-socketdev, scan-crossguard, upload-storage, and upload-defectdojo tasks in the workflow template to use native valueFrom: secretKeyRef for their required environment variables, referencing the new native Kubernetes Secret.
  6. Verify the YAML is valid and clean.
Reference in New Issue View Git Blame Copy Permalink