How to use Infisical to inject secrets into Kubernetes clusters.
The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets from Infisical and stores them in a designated cluster.
It uses an InfisicalSecret resource to specify authentication and storage methods.
The operator continuously updates secrets and can also reload dependent deployments automatically.
For production deployments, it is highly recommended to set the chart version and the application version during installs and upgrades.
This will prevent the operator from being accidentally updated to the latest version and introduce unintended breaking changes.
View application versions here and chart versions here
Copy
Ask AI
helm install --generate-name infisical-helm-charts/secrets-operator --version=<PLACE-CHART-VERSION-HERE> --set controllerManager.manager.image.tag=<PLACE-APP-VERSION-HERE># Example installing app version v0.2.0 and chart version 0.1.4helm install --generate-name infisical-helm-charts/secrets-operator --version=0.1.4 --set controllerManager.manager.image.tag=v0.2.0
For production deployments, it is highly recommended to set the chart version and the application version during installs and upgrades.
This will prevent the operator from being accidentally updated to the latest version and introduce unintended breaking changes.
View application versions here and chart versions here
Copy
Ask AI
helm install --generate-name infisical-helm-charts/secrets-operator --version=<PLACE-CHART-VERSION-HERE> --set controllerManager.manager.image.tag=<PLACE-APP-VERSION-HERE># Example installing app version v0.2.0 and chart version 0.1.4helm install --generate-name infisical-helm-charts/secrets-operator --version=0.1.4 --set controllerManager.manager.image.tag=v0.2.0
For production deployments, it is highly recommended to set the version of the Kubernetes operator manually instead of pointing to the latest version.
Doing so will help you avoid accidental updates to the newest release which may introduce unintended breaking changes. View all application versions here.
The command below will install the most recent version of the Kubernetes operator.
However, to set the version manually, download the manifest and set the image tag version of infisical/kubernetes-operator according to your desired version.
Once you apply the manifest, the operator will be installed in infisical-operator-system namespace.
If you are fetching secrets from a self hosted instance of Infisical set the value of hostAPI to
https://your-self-hosted-instace.com/api
When hostAPI is not defined the operator fetches secrets from Infisical Cloud.
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet.
To achieve this, use the following address for the hostAPI field:
Make sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.
This property defines the time in seconds between each secret re-sync from Infisical. Shorter time between re-syncs will require higher rate limits only available on paid plans.
Default re-sync interval is every 1 minute.
This block defines the method that will be used to authenticate with Infisical so that secrets can be fetched
The universal machine identity authentication method is used to authenticate with Infisical. The client ID and client secret needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.
Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials.
To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.
Make sure you replace <your-identity-client-id> with the identity client ID and <your-identity-client-secret> with the identity client secret.
Add reference for the Kubernetes secret containing the identity credentials
Once the secret is created, add the secretName and secretNamespace of the secret that was just created under authentication.universalAuth.credentialsRef field in the InfisicalSecret resource.
Make sure to also populate the secretsScope field with the project slug projectSlug, environment slug envSlug, and secrets path secretsPath that you want to fetch secrets from. Please see the example below.
apiVersion: secrets.infisical.com/v1alpha1kind: InfisicalSecretmetadata: name: infisicalsecret-sample-crdspec: authentication: universalAuth: secretsScope: projectSlug: <project-slug> # <-- project slug envSlug: <env-slug> # "dev", "staging", "prod", etc.. secretsPath: "<secrets-path>" # Root is "/" credentialsRef: secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials ...
The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token.
Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
2. Create Kubernetes secret containing service token
Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated.
To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace <your-service-token-here> with your service token.
3. Add reference for the Kubernetes secret containing service token
Once the secret is created, add the name and namespace of the secret that was just created under authentication.serviceToken.serviceTokenSecretReference field in the InfisicalSecret resource.
Make sure to also populate the secretsScope field with the, environment slug envSlug, and secrets path secretsPath that you want to fetch secrets from. Please see the example below.
apiVersion: secrets.infisical.com/v1alpha1kind: InfisicalSecretmetadata: name: infisicalsecret-sample-crdspec: authentication: serviceToken: serviceTokenSecretReference: secretName: service-token # <-- name of the Kubernetes secret that stores our service token secretNamespace: option # <-- namespace of the Kubernetes secret that stores our service token secretsScope: envSlug: <env-slug> # "dev", "staging", "prod", etc.. secretsPath: <secrets-path> # Root is "/" ...
The managedSecretReference field is used to define the target location for storing secrets retrieved from an Infisical project.
This field requires specifying both the name and namespace of the Kubernetes secret that will hold these secrets.
The Infisical operator will automatically create the Kubernetes secret with the specified name/namespace and keep it continuously updated.
Note: The managed secret be should be created in the same namespace as the deployment that will use it.
The name of the managed Kubernetes secret to be created
The namespace of the managed Kubernetes secret to be created.
Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator.
This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
The operator will transfer all labels & annotations present on the InfisicalSecret CRD to the managed Kubernetes secret to be created.
Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
Once you have configured the Infisical CRD with the required fields, you can apply it to your cluster.
After applying, you should notice that the managed secret has been created in the desired namespace your specified.
Incorporating the managed secret created by the operator into your deployment can be achieved through several methods.
Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here
This will take all the secrets from your managed secret and expose them to your container
Copy
Ask AI
envFrom: - secretRef: name: managed-secret # managed secret name
This will allow you to select individual secrets by key name from your managed secret and expose them to your container
Copy
Ask AI
env: - name: SECRET_NAME # The environment variable's name which is made available in the container valueFrom: secretKeyRef: name: managed-secret # managed secret name key: SOME_SECRET_KEY # The name of the key which exists in the managed secret
This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
Copy
Ask AI
volumes: - name: secrets-volume-name # The name of the volume under which secrets will be stored secret: secretName: managed-secret # managed secret name
You can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secrets
Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed.
To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.
To configure global settings that will apply to all instances of InfisicalSecret, you can define these configurations in a Kubernetes ConfigMap.
For example, you can configure all InfisicalSecret instances to fetch secrets from a single backend API without specifying the hostAPI parameter for each instance.
All global configurations must reside in a Kubernetes ConfigMap named infisical-config in the namespace infisical-operator-system.
To apply global configuration to the operator, copy the following yaml into infisical-config.yaml file.
If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
It will continue attempting to reconnect to the API indefinitely.
The InfisicalSecret resource uses the status.conditions field to report its current state and any errors encountered.
Copy
Ask AI
$ kubectl get infisicalSecretsNAME AGEinfisicalsecret-sample 12s$ kubectl describe infisicalSecret infisicalsecret-sample...Spec:...Status: Conditions: Last Transition Time: 2022-12-18T04:29:09Z Message: Infisical controller has located the Infisical token in provided Kubernetes secret Reason: OK Status: True Type: secrets.infisical.com/LoadedInfisicalToken Last Transition Time: 2022-12-18T04:29:10Z Message: Failed to update secret because: 400 Bad Request Reason: Error Status: False Type: secrets.infisical.com/ReadyToSyncSecretsEvents: <none>
