Skip to content

feat: add auto kmip setup for org#5500

Merged
sheensantoscapadngan merged 2 commits intomainfrom
feat/add-auto-kmip-setup-for-org
Mar 2, 2026
Merged

feat: add auto kmip setup for org#5500
sheensantoscapadngan merged 2 commits intomainfrom
feat/add-auto-kmip-setup-for-org

Conversation

@sheensantoscapadngan
Copy link
Member

@sheensantoscapadngan sheensantoscapadngan commented Feb 16, 2026
edited
Loading

Context

This PR makes it so that users of KMIP no longer have to configure anything at the organization-level. It will all now just auto-setup the PKI infrastructure for the organization the very first time a KMIP client or server is created

Doc reference: https://infisical.com/docs/documentation/platform/kms/kmip

Screenshots

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Read the contributing guide

@maidul98
Copy link
Collaborator

maidul98 commented Feb 16, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 16, 2026

Greptile Summary

This PR replaces the manual KMIP PKI setup flow (dedicated API endpoints + org settings UI) with lazy, automatic initialization that occurs on first use (client certificate creation or server registration). The new $getOrgKmipCAs internal function uses a PostgreSQL advisory lock with double-check locking to safely handle concurrent initialization.

  • Removes POST /api/v1/kmip and GET /api/v1/kmip endpoints — breaking API change for any external consumers using these endpoints directly
  • Removes the setup permission action from OrgPermissionKmipActions — existing custom roles with this action configured may behave unexpectedly
  • Adds OrgKmipInit advisory lock for safe concurrent initialization of the KMIP PKI hierarchy
  • Deletes the KMIP organization settings tab from the frontend and updates documentation
  • registerServer calls $getOrgKmipCAs redundantly (once directly, once via generateOrgKmipServerCertificate), causing double DB lookups and KMS operations per request
  • Orphaned SETUP_KMIP and GET_KMIP event types remain in audit log type definitions (both backend and frontend) with no active code paths using them
  • docs/internals/permissions/organization-permissions.mdx still references the removed setup action for the kmip subject

Confidence Score: 3/5

  • Functional change is sound but has a breaking API removal and minor inefficiencies that should be addressed.
  • The core lazy-init pattern with advisory locks is well-implemented and race-condition safe. However, the removal of two public API endpoints (POST/GET /api/v1/kmip) and the setup permission action are breaking changes that could affect Terraform/Crossplane or API users. The redundant $getOrgKmipCAs double-call in the registerServer path is an inefficiency, and there are a few documentation and cleanup items missed.
  • Pay close attention to backend/src/ee/services/kmip/kmip-service.ts (redundant calls, missing license guard in init) and backend/src/ee/routes/v1/kmip-router.ts (breaking API removal).

Important Files Changed

Filename Overview
backend/src/ee/services/kmip/kmip-service.ts Core change: replaces manual setupOrgKmip/getOrgKmip with lazy $getOrgKmipCAs initialization using advisory locks. Has redundant double-call in registerServer path and no license check inside the init function.
backend/src/ee/routes/v1/kmip-router.ts Removes POST / and GET / KMIP org config endpoints. This is a breaking API change for any external consumers (Terraform, API users).
backend/src/ee/services/permission/org-permission.ts Removes Setup action from OrgPermissionKmipActions and the admin permission grant. Clean, but breaking for roles with the "setup" action configured.
backend/src/keystore/keystore.ts Adds OrgKmipInit advisory lock key. Consistent with existing patterns in the codebase.
docs/documentation/platform/kms/kmip.mdx Removes the "Enable KMIP at the Organization Level" step from docs, reflecting that setup is now automatic.
frontend/src/pages/organization/SettingsPage/components/KmipTab/OrgKmipTab.tsx Entire KMIP org settings tab deleted as PKI setup is now automatic. Clean removal.

Last reviewed commit: 004e310

greptile-apps[bot]
greptile-apps bot reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

14 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@sheensantoscapadngan sheensantoscapadngan merged commit 421901e into main Mar 2, 2026
12 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlosmonastyrski carlosmonastyrski carlosmonastyrski approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sheensantoscapadngan @maidul98 @carlosmonastyrski