> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-groups-phase-3.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Kubernetes via Helm Chart

> Learn how to use Helm chart to install Infisical on your Kubernetes cluster.

**Prerequisites**

* You have extensive understanding of [Kubernetes](https://kubernetes.io/)
* Installed [Helm package manager](https://helm.sh/) version v3.11.3 or greater
* You have [kubectl](https://kubernetes.io/docs/reference/kubectl/kubectl/) installed and connected to your kubernetes cluster

<Steps>
  <Step title="Install Infisical Helm repository ">
    ```bash
    helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
    ```

    ```
    helm repo update
    ```
  </Step>

  <Step title="Add Helm values">
    Create a `values.yaml` file. This will be used to configure settings for the Infisical Helm chart.
    To explore all configurable properties for your values file, [visit this page](https://raw.githubusercontent.com/Infisical/infisical/main/helm-charts/infisical-standalone-postgres/values.yaml).
  </Step>

  <Step title="Select Infisical version">
    By default, the Infisical version set in your helm chart will likely be outdated.
    Choose the latest Infisical docker image tag from here [here](https://hub.docker.com/r/infisical/infisical/tags).

    ```yaml values.yaml
    infisical:
      image:
        repository: infisical/infisical
        tag: "v0.46.2-postgres" #<-- update
        pullPolicy: IfNotPresent
    ```

    <Warning>
      Do you not use the latest docker image tag in production deployments as they can introduce unexpected changes
    </Warning>
  </Step>

  <Step title="Configure environment variables">
    To deploy this Helm chart, a Kubernetes secret named `infisical-secrets` must be present in the same namespace where the chart is being deployed.

    For a minimal installation of Infisical, you need to configure `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI`, and `REDIS_URL`. [Learn more about configuration settings](/self-hosting/configuration/envars).

    <Tabs>
      <Tab title="Proof of concept deployment">
        For test or proof-of-concept purposes, you may omit `DB_CONNECTION_URI` and `REDIS_URL` from `infisical-secrets`. This is because the Helm chart will automatically provision and connect to the in-cluster instances of Postgres and Redis by default.

        ```yaml simple-values-example.yaml 
        apiVersion: v1
        kind: Secret
        metadata:
          name: infisical-secrets
        type: Opaque
        stringData:
          AUTH_SECRET: <>
          ENCRYPTION_KEY: <>
        ```
      </Tab>

      <Tab title="Production deployment">
        For production environments, we recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability. In on-premise setups, it's recommended to configure Redis and Postgres for high availability, either by using Bitnami charts or a custom configuration.

        ```yaml simple-values-example.yaml 
        apiVersion: v1
        kind: Secret
        metadata:
          name: infisical-secrets
        type: Opaque
        stringData:
          AUTH_SECRET: <>
          ENCRYPTION_KEY: <>
          REDIS_URL: <>
          DB_CONNECTION_URI: <>
        ```
      </Tab>
    </Tabs>
  </Step>

  <Step title="Database schema migration ">
    Infisical relies a relational database, which means that database schemas need to be migrated before the instance can become operational.

    To automate this process, the chart includes a option named `infisical.autoDatabaseSchemaMigration`.
    When this option is enabled, a deployment/upgrade will only occur *after* a successful schema migration.

    <Info>
      If you are using in-cluster Postgres, you may notice the migration job failing initially.
      This is expected as it is waiting for the database to be in ready state.
    </Info>
  </Step>

  <Step title="Routing traffic to Infisical">
    By default, this chart uses Nginx as its Ingress controller to direct traffic to Infisical services.

    ```yaml values.yaml 
    ingress:
      nginx:
        enabled: true 
    ```
  </Step>

  <Step title="Install the Helm chart ">
    Once you are done configuring your `values.yaml` file, run the command below.

    ```bash
    helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
    ```

    <Accordion title="Full helm values example">
      ```yaml values.yaml

      nameOverride: "infisical"
      fullnameOverride: "infisical"

      infisical:
        enabled: true
        name: infisical
        autoDatabaseSchemaMigration: true
        fullnameOverride: ""
        podAnnotations: {}
        deploymentAnnotations: {}
        replicaCount: 6

        image:
          repository: infisical/infisical
          tag: "v0.46.2-postgres"
          pullPolicy: IfNotPresent

        affinity: {}
        kubeSecretRef: "infisical-secrets"
        service:
          annotations: {}
          type: ClusterIP
          nodePort: ""

        resources:
          limits:
            memory: 210Mi
          requests:
            cpu: 200m

      ingress:
        enabled: true
        hostName: ""
        ingressClassName: nginx
        nginx:
          enabled: true
        annotations: {}
        tls: []

      postgresql:
        enabled: true
        name: "postgresql"
        fullnameOverride: "postgresql"
        auth:
          username: infisical
          password: root
          database: infisicalDB

      redis:
        enabled: true
        name: "redis"
        fullnameOverride: "redis"
        cluster:
          enabled: false
        usePassword: true
        auth:
          password: "mysecretpassword"
        architecture: standalone
      ```
    </Accordion>
  </Step>

  <Step title="Access Infisical">
    After deployment, please wait for 2-5 minutes for all pods to reach a running state. Once a significant number of pods are operational, access the IP address revealed through Ingress by your load balancer.
    You can find the IP address/hostname by executing the command `kubectl get ingress`.
    ![infisical-selfhost](https://mintlify.s3-us-west-1.amazonaws.com/infisical-groups-phase-3/images/self-hosting/applicable-to-all/selfhost-signup.png)
  </Step>

  <Step title="Upgrade your instance">
    To upgrade your instance of Infisical simply update the docker image tag in your Halm values and rerun the command below.

    ```bash
    helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
    ```

    <Tip>
      Always back up your database before each upgrade, especially in a production environment.
    </Tip>
  </Step>
</Steps>