Infisical Kubernetes Auth with Client JWT as Reviewer JWT Token is not working

[tuxtof]

Describe the bug

Configuring Infiscal Kubernetes authentication with Client JWT as Reviewer JWT Token is not working because external-secrets service account doesn't have the system:auth-delegator permission

To Reproduce
Steps to reproduce the behavior:

1. Install ESO
2. Configure a SecretStore using Infisical and kubernetesAuthCredentials
3. Configure Infisical Kubernetes Auth to use Client JWT as Reviewer JWT Token (leave the Token Reviewer JWT field empty)

Expected behavior
ESO needs to authenticate correctly against Infiscial using Kubernetes Auth and Client JWT as Reviewer JWT Token

Additional context
doc here
and specifically option2 of the guide

[gusfcarvalho]

I believe we should have involved @tuxtof or at least @akhilmhdh as the infisical maintainer before marking #5167 as resolved 😅 we do not own infisicals' maintenance to really tell the issue was fixed with that doc change 😅

One thing worth to mention, a possible improve if you think the docs update isn't enough @tuxtof is to explain how users can leverage extraObjects already available on our helm charts to add the missing permissions to external-secrets service account. Do note that, typically, this approach tends to be bad the way that external-secrets is typically deployed (cluster wide).

[Skarlso]

I believe we should have involved @tuxtof or at least @akhilmhdh as the infisical maintainer before marking #5167 as resolved 😅 we do not own infisicals' maintenance to really tell the issue was fixed with that doc change 😅

We did. :) In the associated PR. Also, the helm chart is part of ESO and not the infisical provider.

[gusfcarvalho]

I mean, rejecting the helm chart change, I agree it is in our remit to do so.

But we can't really tell the docs we proposed fixed it right? :)

[Skarlso]

Sure. I agree. I reopened the issue. I only meant to tag the related PR. If the doc change isn't accepted as a solution, we can talk further. :)

[gusfcarvalho]

Thanks for that!! 🙇

[tuxtof]

Doc is a good first step even if improvements can be made, but overall, it would definitely be helpful to have a way to automate the deployment end-to-end without relying too much on external tools.

I miss the extraObjects, but I usually don't like this approach.

Long term, I also imagine incorporating the provider config into the ESO helm chart, but perhaps this is already something you've discussed.

In any case, I don't want to cause any more trouble. Thank you very much for this wonderful project.

[gusfcarvalho]

Long term, I also imagine incorporating the provider config into the ESO helm chart, but perhaps this is already something you've discussed.

Provider config within the helm chart, IMO, would only make sense if we could also create SecretStores within the helm chart, but that's not possible due to our current approach for deploying CRDs.

So whatever you need to do to setup a provider, it is already a two-step process in that regard 🤔

[tuxtof]

Yes, it was the idea. Have you already explored using the new CRD install method of Helm 3?