我发现了一些文档，允许我创建秘密并将其上传到 infisical，如下所示：https://registry.terraform.io/providers/Infisical/infisical/latest/docs/resources/secret，但我找不到任何关于从 infisical 读取秘密的信息。

这个想法是将敏感数据存储在 infisical 中，并通过客户端 ID/客户端密钥将 terraform 连接到它以检索密码等值，然后使用它们（infisical 也用于我使用的许多其他程序，因此将所有内容放在同一个地方很方便）

我的 kubernetes 集群上有一个正在运行的 infisical 独立版本，并且想要使用 External Secrets Operator 将 infisical 机密与 kubernetes 机密同步。

我将展示很多密钥和 URL，但尽管我正在使用它们，但它们仅用于测试目的，一旦我解决问题，它们就会被替换。为了更容易看到它们是什么（并发现任何错误），我将把它们放在这里：

• 客户端ID：971d8c5d-08bf-4e14-810b-901b0618b4ed
• 客户端机密：b4909f4856392612a666c0e06bb9c3c16164ff85f290f79b8e6bb692e6f95c13
• infisical 网址：http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080
• infisical 项目 id（stb 项目）：01630159-214a-49b8-97a2-e566b23fe3ac

infisical 在其自己的命名空间（ infisical ）中运行，并且在所有 3 个默认环境（开发、暂存和生产）中都有一个名为 stb 的项目和一个名为 TEST 的秘密。

从 stb 命名空间，我可以使用临时 curl pod 使用我提供的凭据从 infisical 获取机密。因此，我确认机器身份、url 和身份验证均按此处所示工作（使用以下文档https://infisical.com/docs/api-reference/endpoints/universal-auth/login）：

kubectl run curl-pod --rm -i --tty --image=curlimages/curl --namespace stb -- /bin/sh

curl --request POST --url http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080/api/v1/auth/universal-auth/login --header 'Content-Type: application/json' --data '{"clientId": "971d8c5d-08bf-4e14-810b-901b0618b4ed", "clientSecret": "b4909f4856392612a666c0e06bb9c3c16164ff85f290f79b8e6bb692e6f95c13"}'

这有以下输出（因此 access + auth 可以工作）：

{
   "accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eUlkIjoiMTY2YTg3OWYtNmY4YS00YzZmLWExNGItZDJiMzNhMGU0YTg5IiwiY2xpZW50U2VjcmV0SWQiOiIxZTNlODc4NS1kNTc2LTQzZjctOTJmOS1mOWZlODAyNzdkOWQiLCJpZGVudGl0eUFjY2Vzc1Rva2VuSWQiOiIxODUxNzJjZi1kMmM3LTRhYzMtOGI5OS1jNjVmNjRmZTNiZTciLCJhdXRoVG9rZW5UeXBlIjoiaWRlbnRpdHlBY2Nlc3NUb2tlbiIsImlhdCI6MTcyMzkxNjkxMSwiZXhwIjoxNzI2NTA4OTExfQ.Sdc0xlsvB8DIbOaJ__M3jGMlVBKPtPsU4cqwoL-a12I",
   "expiresIn":2592000,
   "accessTokenMaxTTL":2592000,
   "tokenType":"Bearer"
}

使用令牌我现在可以获取秘密https://infisical.com/docs/api-reference/endpoints/secrets/list（工作区 ID 和所需的环境被查询到 URL 中）：

curl --request GET --url "http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080/api/v3/secrets/raw?workspaceId=01630159-214a-49b8-97a2-e566b23fe3ac&environment=dev" --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eUlkIjoiMTY2YTg3OWYtNmY4YS00YzZmLWExNGItZDJiMzNhMGU0YTg5IiwiY2xpZW50U2VjcmV0SWQi
OiIxZTNlODc4NS1kNTc2LTQzZjctOTJmOS1mOWZlODAyNzdkOWQiLCJpZGVudGl0eUFjY2Vzc1Rva2VuSWQiOiIxODUxNzJjZi1kMmM3LTRhYzMtOGI5OS1jNjVmNjRmZTNiZTciLCJhdXRoVG9rZW5UeXBlIjoiaWRlbnRpdHlBY2Nlc3NUb2tlbiIsImlhdCI6MTcyMzkxNjkxMSwiZXhwIjoxNzI2NTA4OTExfQ.Sdc0xlsvB8DIbOaJ__M3jGMlVBKPtPsU4cqwoL-a12I'

反过来，我得到了秘密名单：

{
   "secrets":[
      {
         "id":"94bf8823-227c-45e8-a8a9-bbe613069020",
         "_id":"94bf8823-227c-45e8-a8a9-bbe613069020","workspace":"01630159-214a-49b8-97a2-e566b23fe3ac",
         "environment":"dev",
         "version":2,
         "type":"shared",
         "secretKey":"TEST",
         "secretValue":"this is a test that I whant to see the value of dev",
         "secretComment":""
      }
   ],
   "imports":[]
}

我展示这一切是为了表明 infisical 的设置是正确的，因为我可以访问它、查询它并获取机密。我正在与外部机密操作员斗争。

这是正在使用的配置（遵循文档https://external-secrets.io/latest/provider/infisical/）：

apiVersion: v1
kind: Secret
metadata:
  name: universal-auth-credentials
  namespace: stb
type: Opaque
stringData:
  clientId: "971d8c5d-08bf-4e14-810b-901b0618b4ed"
  clientSecret: "b4909f4856392612a666c0e06bb9c3c16164ff85f290f79b8e6bb692e6f95c13"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: infisical-managed-secrets
  namespace: stb
spec:
  secretStoreRef:
    kind: SecretStore
    name: infisical
  target:
    name: infisical-managed-secrets
  data:
    - secretKey: TEST
      remoteRef:
        key: TEST
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: infisical
  namespace: stb
spec:
  provider:
    infisical:
      auth:
        universalAuthCredentials:
          clientId:
            key: clientId
            namespace: stb
            name: universal-auth-credentials
          clientSecret:
            key: clientSecret
            namespace: stb
            name: universal-auth-credentials
      secretsScope:
        projectSlug: "01630159-214a-49b8-97a2-e566b23fe3ac"
        environmentSlug: dev
        secretsPath: /
      hostAPI: http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080

但问题似乎是缺少值或未按预期给出值。外部机密 pod 的日志显示以下内容（有两个不同的日志重复很多）：

“缺少工作区 ID 或环境”

{
   "level":"error",
   "ts":1723917674.332734,
   "logger":"controllers.ExternalSecret",
   "msg":"could not get secret data from provider",
   "ExternalSecret":
      {
         "name":"infisical-managed-secrets",
         "namespace":"stb"
      },
   "error":"error retrieving secret at .data[0], key: TEST, err: Missing workspace id or environment",
   "stacktrace":"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).markAsFailed\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:357\ngithub.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).Reconcile\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:226\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"
}
{
   "level":"error",
   "ts":1723917674.33634,
   "msg":"Reconciler error",
   "controller":"externalsecret",
   "controllerGroup":"external-secrets.io",
   "controllerKind":"ExternalSecret",
   "ExternalSecret":
      {
         "name":"infisical-managed-secrets",
         "namespace":"stb"
      },
   "namespace":"stb",
   "name":"infisical-managed-secrets",
   "reconcileID":"dac2f36a-5128-416f-929b-dd7ca11511d5",
   "error":"error retrieving secret at .data[0], key: TEST, err: Missing workspace id or environment",
   "stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"
}

我很茫然，文档中没有显示任何可以让我解决问题的内容，我很困惑我是否发现了错误、文档问题或者我只是忽略了某些东西。