Infrastructure Integrations
- Container orchestrators
- Infisical Agent
- Docker
- Terraform Provider
- Ansible
Native Integrations
CI/CD Integrations
Framework Integrations
Build Tool Integrations
Kubernetes Operator
How to use Infisical to inject secrets into Kubernetes clusters.
The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets from Infisical and stores them in a designated cluster.
It uses an InfisicalSecret resource to specify authentication and storage methods.
The operator continuously updates secrets and can also reload dependent deployments automatically.
If you are already using the External Secrets operator, you can view the integration documentation for it here.
Install Operator
The operator can be install via Helm or kubectl
Install the latest Infisical Helm repository
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
helm repo update
Install the Helm chart
To select a specific version, view the application versions here and chart versions here
helm install --generate-name infisical-helm-charts/secrets-operator
# Example installing app version v0.2.0 and chart version 0.1.4
helm install --generate-name infisical-helm-charts/secrets-operator --version=0.1.4 --set controllerManager.manager.image.tag=v0.2.0
Custom Resource Definitions (CRD’s)
Currently the operator supports the following CRD’s. We are constantly expanding the functionality of the operator, and this list will be updated as new CRD’s are added.
- InfisicalSecret: Sync secrets from Infisical to a Kubernetes secret.
- InfisicalPushSecret: Push secrets from a Kubernetes secret to Infisical.
- InfisicalDynamicSecret: Sync dynamic secrets and create leases automatically in Kubernetes.
Sync Infisical Secrets to your cluster
Once you have installed the operator to your cluster, you’ll need to create a InfisicalSecret custom resource definition (CRD).
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample
labels:
label-to-be-passed-to-managed-secret: sample-value
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
hostAPI: https://app.infisical.com/api
resyncInterval: 10
authentication:
# Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
# If you have multiple authentication methods defined, it may cause issues.
# (Deprecated) Service Token Auth
serviceToken:
serviceTokenSecretReference:
secretName: service-token
secretNamespace: default
secretsScope:
envSlug: <env-slug>
secretsPath: <secrets-path>
recursive: true
# Universal Auth
universalAuth:
secretsScope:
projectSlug: new-ob-em
envSlug: dev # "dev", "staging", "prod", etc..
secretsPath: "/" # Root is "/"
recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
credentialsRef:
secretName: universal-auth-credentials
secretNamespace: default
# Native Kubernetes Auth
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <service-account-name>
namespace: <service-account-namespace>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
# AWS IAM Auth
awsIamAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
# Azure Auth
azureAuth:
identityId: <your-machine-identity-id>
resource: https://management.azure.com/&client_id=CLIENT_ID # (Optional) This is the Azure resource that you want to access. For example, "https://management.azure.com/". If no value is provided, it will default to "https://management.azure.com/"
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
# GCP ID Token Auth
gcpIdTokenAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
# GCP IAM Auth
gcpIamAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
managedSecretReference:
secretName: managed-secret
secretNamespace: default
creationPolicy: "Orphan" ## Owner | Orphan
# template:
# includeAllSecrets: true
# data:
# CUSTOM_KEY: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"
# secretType: kubernetes.io/dockerconfigjson
InfisicalSecret CRD properties
If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI to
https://your-self-hosted-instace.com/api
When hostAPI is not defined the operator fetches secrets from Infisical Cloud.
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:
http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
Make sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.
This property defines the time in seconds between each secret re-sync from Infisical. Shorter time between re-syncs will require higher rate limits only available on paid plans. Default re-sync interval is every 1 minute.
This block defines the TLS settings to use for connecting to the Infisical instance.
This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
This block defines the method that will be used to authenticate with Infisical so that secrets can be fetched
The universal machine identity authentication method is used to authenticate with Infisical. The client ID and client secret needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.
Create Kubernetes secret containing machine identity credentials
Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials. To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.
Make sure you replace <your-identity-client-id> with the identity client ID and <your-identity-client-secret> with the identity client secret.
kubectl create secret generic universal-auth-credentials --from-literal=clientId="<your-identity-client-id>" --from-literal=clientSecret="<your-identity-client-secret>"
Add reference for the Kubernetes secret containing the identity credentials
Once the secret is created, add the secretName and secretNamespace of the secret that was just created under authentication.universalAuth.credentialsRef field in the InfisicalSecret resource.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
universalAuth:
secretsScope:
projectSlug: <project-slug> # <-- project slug
envSlug: <env-slug> # "dev", "staging", "prod", etc..
secretsPath: "<secrets-path>" # Root is "/"
credentialsRef:
secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials
...
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
Obtaining the token reviewer JWT for Infisical
1.1. Start by creating a service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.
apiVersion: v1
kind: ServiceAccount
metadata:
name: infisical-auth
namespace: default
kubectl apply -f infisical-service-account.yaml
1.2. Bind the service account to the system:auth-delegator cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Infisical to access the TokenReview API. You can apply the following configuration file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: infisical-auth
namespace: default
kubectl apply -f cluster-role-binding.yaml
1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new Secret resource:
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: infisical-auth-token
annotations:
kubernetes.io/service-account.name: "infisical-auth"
kubectl apply -f service-account-token.yaml
1.4. Link the secret in step 1.3 to the service account in step 1.1:
kubectl patch serviceaccount infisical-auth -p '{"secrets": [{"name": "infisical-auth-token"}]}' -n default
1.5. Finally, retrieve the token reviewer JWT token from the secret.
kubectl get secret infisical-auth-token -n default -o=jsonpath='{.data.token}' | base64 --decode
Keep this JWT token handy as you will need it for the Token Reviewer JWT field when configuring the Kubernetes Auth authentication method for the identity in step 2.
Creating an identity
To create an identity, head to your Organization Settings > Access Control > Machine Identities and press Create identity.
When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
Now input a few details for your new identity. Here’s some guidance for each field:
- Name (required): A friendly name for the identity.
- Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
Once you’ve created an identity, you’ll be prompted to configure the authentication method for it. Here, select Kubernetes Auth.
To learn more about each field of the Kubernetes native authentication method, see step 2 of guide.
Adding an identity to a project
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.
To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press Add identity.
Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
Add your identity ID & service account to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource.
In the authentication.kubernetesAuth.identityId field, add the identity ID of the machine identity you created.
See the example below for more details.
Add your Kubernetes service account token to the InfisicalSecret resource
Add the service account details from the previous steps under authentication.kubernetesAuth.serviceAccountRef.
Here you will need to enter the name and namespace of the service account.
The example below shows a complete InfisicalSecret resource with all required fields defined.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <service-account-name>
namespace: <service-account-namespace>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
...
The AWS IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an AWS environment like an EC2 or a Lambda function.
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about AWS machine identities here.
Add your identity ID to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.awsIamAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
awsIamAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
...
The Azure machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an Azure environment.
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about Azure machine identities here.
Add your identity ID to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.azureAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
azureAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
...
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.
Add your identity ID to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.gcpIdTokenAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
gcpIdTokenAuth:
identityId: <your-machine-identity-id>
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
...
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.
Add your identity ID and service account token path to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.gcpIamAuth.identityId field, add the identity ID of the machine identity you created.
You’ll also need to add the service account key file path to your InfisicalSecret resource. In the authentication.gcpIamAuth.serviceAccountKeyFilePath field, add the path to your service account key file path. Please see the example below for more details.
Make sure to also populate the secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
gcpIamAuth:
identityId: <your-machine-identity-id>
serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json"
# secretsScope is identical to the secrets scope in the universalAuth field in this sample.
secretsScope:
projectSlug: your-project-slug
envSlug: prod
secretsPath: "/path"
recursive: true
...
The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token. Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
1. Generate service token
You can generate a service token for an Infisical project by heading over to the Infisical dashboard then to Project Settings.
2. Create Kubernetes secret containing service token
Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated.
To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace <your-service-token-here> with your service token.
kubectl create secret generic service-token --from-literal=infisicalToken="<your-service-token-here>"
3. Add reference for the Kubernetes secret containing service token
Once the secret is created, add the name and namespace of the secret that was just created under authentication.serviceToken.serviceTokenSecretReference field in the InfisicalSecret resource.
Make sure to also populate the secretsScope field with the, environment slug
envSlug, and secrets path secretsPath that you want to fetch secrets
from. Please see the example below.
Example
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample-crd
spec:
authentication:
serviceToken:
serviceTokenSecretReference:
secretName: service-token # <-- name of the Kubernetes secret that stores our service token
secretNamespace: option # <-- namespace of the Kubernetes secret that stores our service token
secretsScope:
envSlug: <env-slug> # "dev", "staging", "prod", etc..
secretsPath: <secrets-path> # Root is "/"
...
The managedSecretReference field is used to define the target location for storing secrets retrieved from an Infisical project.
This field requires specifying both the name and namespace of the Kubernetes secret that will hold these secrets.
The Infisical operator will automatically create the Kubernetes secret with the specified name/namespace and keep it continuously updated.
Note: The managed secret be should be created in the same namespace as the deployment that will use it.
The name of the managed Kubernetes secret to be created
The namespace of the managed Kubernetes secret to be created.
Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
Templates enable you to transform data from Infisical before storing it as a Kubernetes Secret.
When set to true, this option injects all secrets retrieved from Infisical into your configuration. Secrets defined in the template will override the automatically injected secrets.
Define secret keys and their corresponding templates. Each data value uses a Golang template with access to all secrets retrieved from the specified scope.
Secrets are structured as follows:
type TemplateSecret struct {
Value string `json:"value"`
SecretPath string `json:"secretPath"`
}
Example template configuration:
managedSecretReference:
secretName: managed-secret
secretNamespace: default
template:
includeAllSecrets: true
data:
NEW_KEY: "{{ .KEY1.SecretPath }} {{ .KEY1.Value }}"
When you run the following command:
kubectl get secret managed-secret -o jsonpath='{.data}'
You’ll receive Kubernetes secrets output that includes the NEW_KEY:
{... "KEY":"d29ybGQ=","NEW_KEY":"LyBoZWxsbw=="}
When you set includeAllSecrets as false the Kubernetes secrets outputs will be:
{"NEW_KEY":"LyBoZWxsbw=="}
Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan(default)Owner
When creation policy is set to Owner, the InfisicalSecret CRD must be in
the same namespace as where the managed kubernetes secret.
Propagating labels & annotations
The operator will transfer all labels & annotations present on the InfisicalSecret CRD to the managed Kubernetes secret to be created.
Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisicalsecret-sample
labels:
label-to-be-passed-to-managed-secret: sample-value
annotations:
example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
..
authentication:
...
managedSecretReference:
...
This would result in the following managed secret to be created:
apiVersion: v1
data: ...
kind: Secret
metadata:
annotations:
example.com/annotation-to-be-passed-to-managed-secret: sample-value
secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
labels:
label-to-be-passed-to-managed-secret: sample-value
name: managed-token
namespace: default
type: Opaque
Apply the InfisicalSecret CRD to your cluster
Once you have configured the InfisicalSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that the managed secret has been created in the desired namespace your specified.
kubectl apply -f example-infisical-secret-crd.yaml
Verify managed secret creation
To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.
# Verify managed secret is created
kubectl get secrets -n <namespace of managed secret>
The Infisical secrets will be synced and stored into the managed secret every 1 minutes.
Using managed secret in your deployment
Incorporating the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here
This will take all the secrets from your managed secret and expose them to your container
envFrom:
- secretRef:
name: managed-secret # managed secret name
```
Example usage in a deployment
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
envFrom:
- secretRef:
name: managed-secret # <- name of managed secret
ports:
- containerPort: 80
This will allow you to select individual secrets by key name from your managed secret and expose them to your container
env:
- name: SECRET_NAME # The environment variable's name which is made available in the container
valueFrom:
secretKeyRef:
name: managed-secret # managed secret name
key: SOME_SECRET_KEY # The name of the key which exists in the managed secret
Example usage in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers: - name: nginx
image: nginx:1.14.2
env: - name: STRIPE_API_SECRET
valueFrom:
secretKeyRef:
name: managed-secret # <- name of managed secret
key: STRIPE_API_SECRET
ports: - containerPort: 80
This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
volumes:
- name: secrets-volume-name # The name of the volume under which secrets will be stored
secret:
secretName: managed-secret # managed secret name
You can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secrets
volumeMounts:
- name: secrets-volume-name
mountPath: /etc/secrets
readOnly: true
Example usage in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
volumeMounts:
- name: secrets-volume-name
mountPath: /etc/secrets
readOnly: true
ports:
- containerPort: 80
volumes:
- name: secrets-volume-name
secret:
secretName: managed-secret # <- managed secrets
The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
apiVersion: v1
kind: Secret
metadata:
name: custom-ca-certificate
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
...
BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
-----END CERTIFICATE-----
Auto redeployment
Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.
Enabling auto redeploy
To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret
secrets.infisical.com/auto-reload: "true"
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
annotations:
secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
envFrom:
- secretRef:
name: managed-secret
ports:
- containerPort: 80
How it works
When a secret change occurs, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update. Then, for each deployment that has this annotation present, a rolling update will be triggered.
Push Secrets to Infisical
Example usage
Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.
After filling out the fields in the InfisicalPushSecret CRD, you can apply it directly to your cluster.
Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes secret containing the secrets you want to push to Infisical. An example can be seen below the InfisicalPushSecret CRD.
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalPushSecret
metadata:
name: infisical-push-secret-demo
spec:
resyncInterval: 1m
hostAPI: https://app.infisical.com/api
# Optional, defaults to no replacement.
updatePolicy: Replace # If set to replace, existing secrets inside Infisical will be replaced by the value of the PushSecret on sync.
# Optional, defaults to no deletion.
deletionPolicy: Delete # If set to delete, the secret(s) inside Infisical managed by the operator, will be deleted if the InfisicalPushSecret CRD is deleted.
destination:
projectId: <project-id>
environmentSlug: <env-slug>
secretsPath: <secret-path>
push:
secret:
secretName: push-secret-demo # Secret CRD
secretNamespace: default
# Only have one authentication method defined or you are likely to run into authentication issues.
# Remove all except one authentication method.
authentication:
awsIamAuth:
identityId: <machine-identity-id>
azureAuth:
identityId: <machine-identity-id>
gcpIamAuth:
identityId: <machine-identity-id>
serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
gcpIdTokenAuth:
identityId: <machine-identity-id>
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <secret-name>
namespace: <secret-namespace>
universalAuth:
credentialsRef:
secretName: <secret-name> # universal-auth-credentials
secretNamespace: <secret-namespace> # default
apiVersion: v1
kind: Secret
metadata:
name: push-secret-demo
namespace: default
stringData: # can also be "data", but needs to be base64 encoded
API_KEY: some-api-key
DATABASE_URL: postgres://127.0.0.1:5432
ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
kubectl apply -f source-secret.yaml
After applying the soruce-secret.yaml file, you are ready to apply the InfisicalPushSecret CRD.
kubectl apply -f infisical-push-secret.yaml
After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.
InfisicalPushSecret CRD properties
If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI to
https://your-self-hosted-instace.com/api
When hostAPI is not defined the operator fetches secrets from Infisical Cloud.
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:
http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
Make sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.
The resyncInterval is a string-formatted duration that defines the time between each resync.
The format of the field is [duration][unit] where duration is a number and unit is a string representing the unit of time.
The following units are supported:
sfor seconds (must be at least 5 seconds)mfor minuteshfor hoursdfor dayswfor weeks
The default value is 1m (1 minute).
Valid intervals examples:
resyncInterval: 5s # 10 seconds
resyncInterval: 10s # 10 seconds
resyncInterval: 5m # 5 minutes
resyncInterval: 1h # 1 hour
resyncInterval: 1d # 1 day
The field is optional and will default to None if not defined.
The update policy defines how the operator should handle conflicting secrets when pushing secrets to Infisical.
Valid values are None and Replace.
Behavior of each policy:
None: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.Replace: The operator will replace existing secrets in Infisical with the new secrets. If a secret with the same key already exists, the operator will update the secret with the new value.
spec:
updatePolicy: Replace
This field is optional and will default to None if not defined.
The deletion policy defines what the operator should do in case the InfisicalPushSecret CRD is deleted.
Valid values are None and Delete.
Behavior of each policy:
None: The operator will not delete the secrets in Infisical when the InfisicalPushSecret CRD is deleted.Delete: The operator will delete the secrets in Infisical that are managed by the operator when the InfisicalPushSecret CRD is deleted.
spec:
deletionPolicy: Delete
The destination field is used to specify where you want to create the secrets in Infisical. The required fields are projectId, environmentSlug, and secretsPath.
spec:
destination:
projectId: <project-id>
environmentSlug: <env-slug>
secretsPath: <secrets-path>
The project ID where you want to create the secrets in Infisical.
The environment slug where you want to create the secrets in Infisical.
The path where you want to create the secrets in Infisical. The root path is /.
The push field is used to define what you want to push to Infisical. Currently the operator only supports pushing Kubernetes secrets to Infisical. An example of the push field is shown below.
The secret field is used to define the Kubernetes secret you want to push to Infisical. The required fields are secretName and secretNamespace.
Example usage of the push.secret field:
push:
secret:
secretName: push-secret-demo
secretNamespace: default
apiVersion: v1
kind: Secret
metadata:
name: push-secret-demo
namespace: default
# Pass in the secrets you wish to push to Infisical
stringData:
API_KEY: some-api-key
DATABASE_URL: postgres://127.0.0.1:5432
ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
The authentication field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth, kubernetesAuth, awsIamAuth, azureAuth, gcpIdTokenAuth, and gcpIamAuth.
The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider. Read more about Universal Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.credentialsRef: The name and namespace of the Kubernetes secret that stores the service token.credentialsRef.secretName: The name of the Kubernetes secret.credentialsRef.secretNamespace: The namespace of the Kubernetes secret.
Example:
# infisical-push-secret.yaml
spec:
universalAuth:
credentialsRef:
secretName: <secret-name>
secretNamespace: <secret-namespace>
# machine-identity-credentials.yaml
apiVersion: v1
kind: Secret
metadata:
name: universal-auth-credentials
type: Opaque
stringData:
clientId: <machine-identity-client-id>
clientSecret: <machine-identity-client-secret>
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment. Read more about Kubernetes Auth. Valid fields:
identityId: The identity ID of the machine identity you created.serviceAccountRef: The name and namespace of the service account that will be used to authenticate with Infisical.serviceAccountRef.name: The name of the service account.serviceAccountRef.namespace: The namespace of the service account.
Example:
spec:
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <secret-name>
namespace: <secret-namespace>
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Read more about AWS IAM Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
Example:
spec:
authentication:
awsIamAuth:
identityId: <machine-identity-id>
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment. Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
Example:
spec:
authentication:
azureAuth:
identityId: <machine-identity-id>
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments. Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.serviceAccountKeyFilePath: The path to the GCP service account key file.
Example:
spec:
gcpIamAuth:
identityId: <machine-identity-id>
serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments. Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
Example:
spec:
gcpIdTokenAuth:
identityId: <machine-identity-id>
This block defines the TLS settings to use for connecting to the Infisical instance.
Fields:
This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Valid fields:
secretName: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.secretNamespace: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.key: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Example:
tls:
caRef:
secretName: custom-ca-certificate
secretNamespace: default
key: ca.crt
Applying the InfisicalPushSecret CRD to your cluster
Once you have configured the InfisicalPushSecret CRD with the required fields, you can apply it to your cluster.
After applying, you should notice that the secrets have been pushed to Infisical.
kubectl apply -f source-push-secret.yaml # The secret that you're referencing in the InfisicalPushSecret CRD push.secret field
kubectl apply -f example-infisical-push-secret-crd.yaml # The InfisicalPushSecret CRD itself
Sync Dynamic Secrets to your cluster
Example usage
The example below demonstrates a sample InfisicalDynamicSecret CRD that creates a dynamic secret lease in Infisical, and syncs the lease to your Kubernetes cluster.
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalDynamicSecret
metadata:
name: infisicaldynamicsecret
spec:
hostAPI: https://app.infisical.com/api # Optional, defaults to https://app.infisical.com/api
dynamicSecret:
secretName: <dynamic-secret-name>
projectId: <project-id>
secretsPath: <path/to/dynamic-secret> # Root directory is /
environmentSlug: <env-slug>
# Lease revocation policy defines what should happen to leases created by the operator if the CRD is deleted.
# If set to "Revoke", leases will be revoked when the InfisicalDynamicSecret CRD is deleted.
leaseRevocationPolicy: Revoke
# Lease TTL defines how long the lease should last for the dynamic secret.
# This value must be less than 1 day, and if a max TTL is defined on the dynamic secret, it must be below the max TTL.
leaseTTL: 1m
# A reference to the secret that the dynamic secret lease should be stored in.
# If the secret doesn't exist, it will automatically be created.
managedSecretReference:
secretName: <secret-name>
secretNamespace: default # Must be the same namespace as the InfisicalDynamicSecret CRD.
creationPolicy: Orphan
# Only have one authentication method defined or you are likely to run into authentication issues.
# Remove all except one authentication method.
authentication:
awsIamAuth:
identityId: <machine-identity-id>
azureAuth:
identityId: <machine-identity-id>
gcpIamAuth:
identityId: <machine-identity-id>
serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
gcpIdTokenAuth:
identityId: <machine-identity-id>
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <secret-name>
namespace: <secret-namespace>
universalAuth:
credentialsRef:
secretName: <secret-name> # universal-auth-credentials
secretNamespace: <secret-namespace> # default
Apply the InfisicalDynamicSecret CRD to your cluster.
kubectl apply -f dynamic-secret-crd.yaml
After applying the InfisicalDynamicSecret CRD, you should notice that the dynamic secret lease has been created in Infisical and synced to your Kubernetes cluster. You can verify that the lease has been created by doing:
kubectl get secret <managed-secret-name> -o yaml
After getting the secret, you should should see that the secret has data that contains the lease credentials.
apiVersion: v1
data:
DB_PASSWORD: VHhETjZ4c2xsTXpOSWdPYW5LLlRyNEc2alVKYml6WiQjQS0tNTdodyREM3ZLZWtYSi4hTkdyS0F+TVFsLU9CSA==
DB_USERNAME: cHg4Z0dJTUVBcHdtTW1aYnV3ZWRsekJRRll6cW4wFEE=
kind: Secret
# .....
InfisicalDynamicSecret CRD properties
If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI to
https://your-self-hosted-instace.com/api
When hostAPI is not defined the operator fetches secrets from Infisical Cloud.
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:
http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
Make sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.
The leaseTTL is a string-formatted duration that defines the time the lease should last for the dynamic secret.
The format of the field is [duration][unit] where duration is a number and unit is a string representing the unit of time.
The following units are supported:
sfor seconds (must be at least 5 seconds)mfor minuteshfor hoursdfor days
The lease duration at most be 1 day (24 hours). And the TTL must be less than the max TTL defined on the dynamic secret.
The managedSecretReference field is used to define the Kubernetes secret where the dynamic secret lease should be stored. The required fields are secretName and secretNamespace.
spec:
managedSecretReference:
secretName: <secret-name>
secretNamespace: default
The name of the Kubernetes secret where the dynamic secret lease should be stored.
The namespace of the Kubernetes secret where the dynamic secret lease should be stored.
Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan(default)Owner
When creation policy is set to Owner, the InfisicalSecret CRD must be in
the same namespace as where the managed kubernetes secret.
This field is optional.
Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
This field is optional.
The field is optional and will default to None if not defined.
The lease revocation policy defines what the operator should do with the leases created by the operator, when the InfisicalDynamicSecret CRD is deleted.
Valid values are None and Revoke.
Behavior of each policy:
None: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.Revoke: The operator will revoke the leases created by the operator when the InfisicalDynamicSecret CRD is deleted.
spec:
leaseRevocationPolicy: Revoke
The dynamicSecret field is used to specify which dynamic secret to create leases for. The required fields are secretName, projectId, secretsPath, and environmentSlug.
spec:
dynamicSecret:
secretName: <dynamic-secret-name>
projectId: <project-id>
environmentSlug: <env-slug>
secretsPath: <secrets-path>
The name of the dynamic secret.
The project ID of where the dynamic secret is stored in Infisical.
The environment slug of where the dynamic secret is stored in Infisical.
The path of where the dynamic secret is stored in Infisical. The root path is /.
The authentication field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth, kubernetesAuth, awsIamAuth, azureAuth, gcpIdTokenAuth, and gcpIamAuth.
The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider. Read more about Universal Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.credentialsRef: The name and namespace of the Kubernetes secret that stores the service token.credentialsRef.secretName: The name of the Kubernetes secret.credentialsRef.secretNamespace: The namespace of the Kubernetes secret.
Example:
# infisical-push-secret.yaml
spec:
universalAuth:
credentialsRef:
secretName: <secret-name>
secretNamespace: <secret-namespace>
# machine-identity-credentials.yaml
apiVersion: v1
kind: Secret
metadata:
name: universal-auth-credentials
type: Opaque
stringData:
clientId: <machine-identity-client-id>
clientSecret: <machine-identity-client-secret>
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment. Read more about Kubernetes Auth. Valid fields:
identityId: The identity ID of the machine identity you created.serviceAccountRef: The name and namespace of the service account that will be used to authenticate with Infisical.serviceAccountRef.name: The name of the service account.serviceAccountRef.namespace: The namespace of the service account.
Example:
spec:
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <secret-name>
namespace: <secret-namespace>
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Read more about AWS IAM Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
Example:
spec:
authentication:
awsIamAuth:
identityId: <machine-identity-id>
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment. Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
Example:
spec:
authentication:
azureAuth:
identityId: <machine-identity-id>
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments. Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.serviceAccountKeyFilePath: The path to the GCP service account key file.
Example:
spec:
gcpIamAuth:
identityId: <machine-identity-id>
serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments. Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
Example:
spec:
gcpIdTokenAuth:
identityId: <machine-identity-id>
This block defines the TLS settings to use for connecting to the Infisical instance.
Fields:
This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Valid fields:
secretName: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.secretNamespace: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.key: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Example:
tls:
caRef:
secretName: custom-ca-certificate
secretNamespace: default
key: ca.crt
Applying the InfisicalDynamicSecret CRD to your cluster
Once you have configured the InfisicalDynamicSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that a lease has been created in Infisical and synced to your Kubernetes cluster.
kubectl apply -f dynamic-secret-crd.yaml
Auto redeployment
Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.
Enabling auto redeploy
To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret
secrets.infisical.com/auto-reload: "true"
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
annotations:
secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
envFrom:
- secretRef:
name: managed-secret # The name of your managed secret, the same that you're using in your InfisicalDynamicSecret CRD (spec.managedSecretReference.secretName)
ports:
- containerPort: 80
How it works
When the lease changes, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update. Then, for each deployment that has this annotation present, a rolling update will be triggered. A redeployment won’t happen if the lease is renewed, only if it’s recreated.
Connecting to instances with private/self-signed certificate
To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the CRD to point to a CA certificate stored in a Kubernetes secret resource.
---
spec:
hostAPI: https://app.infisical.com/api
tls:
caRef:
secretName: custom-ca-certificate
secretNamespace: default
key: ca.crt
---
Global configuration
To configure global settings that will apply to all instances of InfisicalSecret, you can define these configurations in a Kubernetes ConfigMap.
For example, you can configure all InfisicalSecret instances to fetch secrets from a single backend API without specifying the hostAPI parameter for each instance.
Available global properties
| Property | Description | Default value |
|---|---|---|
| hostAPI | If hostAPI in InfisicalSecret instance is left empty, this value will be used | https://app.infisical.com/api |
Applying global configurations
All global configurations must reside in a Kubernetes ConfigMap named infisical-config in the namespace infisical-operator-system.
To apply global configuration to the operator, copy the following yaml into infisical-config.yaml file.
apiVersion: v1
kind: Namespace
metadata:
name: infisical-operator-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: infisical-config
namespace: infisical-operator-system
data:
hostAPI: https://example.com/api # <-- global hostAPI
Then apply this change via kubectl by running the following
kubectl apply -f infisical-config.yaml
Troubleshoot operator
If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
It will continue attempting to reconnect to the API indefinitely.
The InfisicalSecret resource uses the status.conditions field to report its current state and any errors encountered.
$ kubectl get infisicalSecrets
NAME AGE
infisicalsecret-sample 12s
$ kubectl describe infisicalSecret infisicalsecret-sample
...
Spec:
...
Status:
Conditions:
Last Transition Time: 2022-12-18T04:29:09Z
Message: Infisical controller has located the Infisical token in provided Kubernetes secret
Reason: OK
Status: True
Type: secrets.infisical.com/LoadedInfisicalToken
Last Transition Time: 2022-12-18T04:29:10Z
Message: Failed to update secret because: 400 Bad Request
Reason: Error
Status: False
Type: secrets.infisical.com/ReadyToSyncSecrets
Events: <none>
Uninstall Operator
The managed secret created by the operator will not be deleted when the operator is uninstalled.
Install Infisical Helm repository
helm uninstall <release name>
Useful Articles
Was this page helpful?
- Install Operator
- Custom Resource Definitions (CRD’s)
- Sync Infisical Secrets to your cluster
- InfisicalSecret CRD properties
- Propagating labels & annotations
- Apply the InfisicalSecret CRD to your cluster
- Verify managed secret creation
- Using managed secret in your deployment
- Auto redeployment
- Enabling auto redeploy
- Push Secrets to Infisical
- Example usage
- InfisicalPushSecret CRD properties
- Applying the InfisicalPushSecret CRD to your cluster
- Sync Dynamic Secrets to your cluster
- Example usage
- InfisicalDynamicSecret CRD properties
- Applying the InfisicalDynamicSecret CRD to your cluster
- Auto redeployment
- Enabling auto redeploy
- Connecting to instances with private/self-signed certificate
- Global configuration
- Available global properties
- Applying global configurations
- Troubleshoot operator
- Uninstall Operator
- Useful Articles