ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1036fce55ed4736d1efd62ce4c69a5ff55ec414b
agentguard-ci/docs/improvements/infisical-crd-refactor.md
T
Elizabeth W d8ee53395a infiniscal refactor
2026-04-19 22:55:19 -06:00

27 lines
2.3 KiB
Markdown
Raw Blame History

# Improvement Plan: Refactor Infisical Secrets to Native CRD
## Objective
The previous implementation used a Mutating Webhook (Infisical Agent Injector) and an `initContainer` polling loop to wait for secrets to be injected into the Argo Workflow pods. Best practices indicate this causes race conditions and ArgoCD "OutOfSync" issues. We need to refactor the pipeline to use the native `InfisicalSecret` CRD and standard Kubernetes `secretKeyRef` environment variables.
## Requirements
- **Remove Webhook Logic**: Strip out any Infisical annotations (e.g., `secrets.infisical.com/auto-reload`) from the Argo Workflows pod metadata.
- **Remove initContainer**: Delete the `initContainer` polling logic that was waiting for environment variables to populate.
- **Create InfisicalSecret CRD**: Create a new Helm template (e.g., `helm/templates/infisical-secret.yaml`) defining an `InfisicalSecret` resource. This resource should sync the required secrets (Socket.dev API key, Pulumi credentials, S3/MinIO credentials, DefectDojo API keys) into a standard Kubernetes `Secret` (e.g., named `amp-security-pipeline-secrets`).
- **Update Workflow Tasks**: Modify the `ClusterWorkflowTemplate` (and any other files where tasks are defined). Instead of expecting the webhook to inject the secrets directly, configure the task containers to pull their required environment variables using native Kubernetes syntax:
```yaml
env:
- name: SOCKET_DEV_API_KEY
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: SOCKET_DEV_API_KEY
```
## Agent Instructions
1. Find and open the implemented `ClusterWorkflowTemplate` and task definition YAML files in `helm/templates/`.
2. Find and remove all instances of the `initContainer` secret-waiting logic.
3. Find and remove all Infisical mutating webhook annotations from the workflow/pod templates.
4. Create a new file `helm/templates/infisical-secret.yaml` defining the `InfisicalSecret` CRD. Make sure it targets the necessary secrets for Socket.dev, Pulumi, Storage, and DefectDojo.
5. Update the `scan-socketdev`, `scan-crossguard`, `upload-storage`, and `upload-defectdojo` tasks in the workflow template to use native `valueFrom: secretKeyRef` for their required environment variables, referencing the new native Kubernetes Secret.
6. Verify the YAML is valid and clean.
Reference in New Issue View Git Blame Copy Permalink