How to use Infisical to inject secrets into Kubernetes clusters.
InfisicalSecret
resource to specify authentication and storage methods.
The operator continuously updates secrets and can also reload dependent deployments automatically.
InfisicalSecret
custom resource definition (CRD).
hostAPI
hostAPI
to
https://your-self-hosted-instace.com/api
When hostAPI
is not defined the operator fetches secrets from Infisical Cloud.Advanced use case
<backend-svc-name>
and <namespace>
with the appropriate values for your backend service and namespace.resyncInterval
authentication
authentication.universalAuth
Create a machine identity
Create Kubernetes secret containing machine identity credentials
<your-identity-client-id>
with the identity client ID and <your-identity-client-secret>
with the identity client secret.Add reference for the Kubernetes secret containing the identity credentials
secretName
and secretNamespace
of the secret that was just created under authentication.universalAuth.credentialsRef
field in the InfisicalSecret resource.secretsScope
field with the project slug projectSlug
, environment slug envSlug
, and secrets path secretsPath
that you want to fetch secrets from. Please see the example below.authentication.serviceToken
<your-service-token-here>
with your service token.authentication.serviceToken.serviceTokenSecretReference
field in the InfisicalSecret resource.secretsScope
field with the, environment slug envSlug
, and secrets path secretsPath
that you want to fetch secrets from. Please see the example below.managedSecretReference
managedSecretReference
field is used to define the target location for storing secrets retrieved from an Infisical project.
This field requires specifying both the name and namespace of the Kubernetes secret that will hold these secrets.
The Infisical operator will automatically create the Kubernetes secret with the specified name/namespace and keep it continuously updated.Note: The managed secret be should be created in the same namespace as the deployment that will use it.managedSecretReference.secretName
managedSecretReference.secretNamespace
managedSecretReference.secretType
managedSecretReference.creationPolicy
Orphan
(default)Owner
Owner
, the InfisicalSecret
CRD must be in the same namespace as where the managed kubernetes secret.InfisicalSecret
CRD to the managed Kubernetes secret to be created.
Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
Example propagation
envFrom
env
volumes
Deployment example with auto redeploy enabled
InfisicalSecret
, you can define these configurations in a Kubernetes ConfigMap.
For example, you can configure all InfisicalSecret
instances to fetch secrets from a single backend API without specifying the hostAPI
parameter for each instance.
Property | Description | Default value |
---|---|---|
hostAPI | If hostAPI in InfisicalSecret instance is left empty, this value will be used | https://app.infisical.com/api |
infisical-config
in the namespace infisical-operator-system
.
To apply global configuration to the operator, copy the following yaml into infisical-config.yaml
file.
status.conditions
field to report its current state and any errors encountered.