I have a running infisical standalone on my kubernetes cluster and would like to use External Secrets Operator to have the infisical secrets synced with the kubernetes secrets.

I'll be showing a lot of keys and urls but although I am using them they are for test purposes and will be replaced once I get to solve the issue. To make it easier to see what is what ( and spot any errors if any ), I will lay them here :

• clientID : 971d8c5d-08bf-4e14-810b-901b0618b4ed
• clientSecret : b4909f4856392612a666c0e06bb9c3c16164ff85f290f79b8e6bb692e6f95c13
• infisical url : http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080
• infisical project id ( the stb project ) : 01630159-214a-49b8-97a2-e566b23fe3ac

The infisical is running in it's own namespace ( infisical ) and has one project called stb with one secret called TEST on all 3 default environs ( Development, Staging and Production ).

From the stb namespace, I am able to use a temporary curl pod to get the secrets from the infisical using the credentials I gave it. So I have confirmation that the machine identity, url and authentication all work as seen here ( using the following documentation https://infisical.com/docs/api-reference/endpoints/universal-auth/login ) :

kubectl run curl-pod --rm -i --tty --image=curlimages/curl --namespace stb -- /bin/sh

curl --request POST --url http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080/api/v1/auth/universal-auth/login --header 'Content-Type: application/json' --data '{"clientId": "971d8c5d-08bf-4e14-810b-901b0618b4ed", "clientSecret": "b4909f4856392612a666c0e06bb9c3c16164ff85f290f79b8e6bb692e6f95c13"}'

This has the following output ( so access + auth do work ) :

{
   "accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eUlkIjoiMTY2YTg3OWYtNmY4YS00YzZmLWExNGItZDJiMzNhMGU0YTg5IiwiY2xpZW50U2VjcmV0SWQiOiIxZTNlODc4NS1kNTc2LTQzZjctOTJmOS1mOWZlODAyNzdkOWQiLCJpZGVudGl0eUFjY2Vzc1Rva2VuSWQiOiIxODUxNzJjZi1kMmM3LTRhYzMtOGI5OS1jNjVmNjRmZTNiZTciLCJhdXRoVG9rZW5UeXBlIjoiaWRlbnRpdHlBY2Nlc3NUb2tlbiIsImlhdCI6MTcyMzkxNjkxMSwiZXhwIjoxNzI2NTA4OTExfQ.Sdc0xlsvB8DIbOaJ__M3jGMlVBKPtPsU4cqwoL-a12I",
   "expiresIn":2592000,
   "accessTokenMaxTTL":2592000,
   "tokenType":"Bearer"
}

Using the token I can now get the secrets https://infisical.com/docs/api-reference/endpoints/secrets/list ( the workspace id and the desired env are queried into the url ) :

curl --request GET --url "http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080/api/v3/secrets/raw?workspaceId=01630159-214a-49b8-97a2-e566b23fe3ac&environment=dev" --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eUlkIjoiMTY2YTg3OWYtNmY4YS00YzZmLWExNGItZDJiMzNhMGU0YTg5IiwiY2xpZW50U2VjcmV0SWQi
OiIxZTNlODc4NS1kNTc2LTQzZjctOTJmOS1mOWZlODAyNzdkOWQiLCJpZGVudGl0eUFjY2Vzc1Rva2VuSWQiOiIxODUxNzJjZi1kMmM3LTRhYzMtOGI5OS1jNjVmNjRmZTNiZTciLCJhdXRoVG9rZW5UeXBlIjoiaWRlbnRpdHlBY2Nlc3NUb2tlbiIsImlhdCI6MTcyMzkxNjkxMSwiZXhwIjoxNzI2NTA4OTExfQ.Sdc0xlsvB8DIbOaJ__M3jGMlVBKPtPsU4cqwoL-a12I'

In turn, I get the secret list :

{
   "secrets":[
      {
         "id":"94bf8823-227c-45e8-a8a9-bbe613069020",
         "_id":"94bf8823-227c-45e8-a8a9-bbe613069020","workspace":"01630159-214a-49b8-97a2-e566b23fe3ac",
         "environment":"dev",
         "version":2,
         "type":"shared",
         "secretKey":"TEST",
         "secretValue":"this is a test that I whant to see the value of dev",
         "secretComment":""
      }
   ],
   "imports":[]
}

I'm showing all this to show that the infisical was set up what I think is correctly as I can access it, query it and get the secret. I'm battling with the External Secrets Operator.

Here is the configuration that is being used ( following the documentation https://external-secrets.io/latest/provider/infisical/ ):

apiVersion: v1
kind: Secret
metadata:
  name: universal-auth-credentials
  namespace: stb
type: Opaque
stringData:
  clientId: "971d8c5d-08bf-4e14-810b-901b0618b4ed"
  clientSecret: "b4909f4856392612a666c0e06bb9c3c16164ff85f290f79b8e6bb692e6f95c13"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: infisical-managed-secrets
  namespace: stb
spec:
  secretStoreRef:
    kind: SecretStore
    name: infisical
  target:
    name: infisical-managed-secrets
  data:
    - secretKey: TEST
      remoteRef:
        key: TEST
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: infisical
  namespace: stb
spec:
  provider:
    infisical:
      auth:
        universalAuthCredentials:
          clientId:
            key: clientId
            namespace: stb
            name: universal-auth-credentials
          clientSecret:
            key: clientSecret
            namespace: stb
            name: universal-auth-credentials
      secretsScope:
        projectSlug: "01630159-214a-49b8-97a2-e566b23fe3ac"
        environmentSlug: dev
        secretsPath: /
      hostAPI: http://infisical-infisical-standalone-infisical.infisical.svc.cluster.local:8080

The issue however seems that there is a missing value or a value that is not given as intended. The logs of the external secrets pod show the following (there are two different logs that repeat a lot):

"Missing workspace id or environment"

{
   "level":"error",
   "ts":1723917674.332734,
   "logger":"controllers.ExternalSecret",
   "msg":"could not get secret data from provider",
   "ExternalSecret":
      {
         "name":"infisical-managed-secrets",
         "namespace":"stb"
      },
   "error":"error retrieving secret at .data[0], key: TEST, err: Missing workspace id or environment",
   "stacktrace":"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).markAsFailed\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:357\ngithub.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).Reconcile\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:226\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"
}
{
   "level":"error",
   "ts":1723917674.33634,
   "msg":"Reconciler error",
   "controller":"externalsecret",
   "controllerGroup":"external-secrets.io",
   "controllerKind":"ExternalSecret",
   "ExternalSecret":
      {
         "name":"infisical-managed-secrets",
         "namespace":"stb"
      },
   "namespace":"stb",
   "name":"infisical-managed-secrets",
   "reconcileID":"dac2f36a-5128-416f-929b-dd7ca11511d5",
   "error":"error retrieving secret at .data[0], key: TEST, err: Missing workspace id or environment",
   "stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"
}

I am at a loss, the documentation does not show anything that would allow me to solve the issue and I'm confused as to if I have found a bug, an issue with the documentation or if I simply overlooked something.