Automate the initial setup of a new Infisical instance for headless deployment and infrastructure-as-code workflows
infisical bootstrap
command is used when deploying Infisical in automated environments where manual UI setup is not feasible. Itβs ideal for:
--domain
INFISICAL_API_URL
environment variable.INFISICAL_ADMIN_EMAIL
environment variable.--password
INFISICAL_ADMIN_PASSWORD
environment variable.--organization
INFISICAL_ADMIN_ORGANIZATION
environment variable.--ignore-if-bootstrapped
false
.--output
k8-secret
for Kubernetes secret integration. This flag is optional and defaults to "".k8-secret
, the command will create or update a Kubernetes secret directly in your cluster. Note that this option requires the command to be executed from within a Kubernetes pod with appropriate service account permissions.--k8-secret-template
--output=k8-secret
. The template uses Go template syntax and has access to the bootstrap response data.encodeBase64
: Base64 encode a string.Identity.Credentials.Token
: The machine identity token.Identity.ID
: The identity ID.Identity.Name
: The identity name.Organization.ID
: The organization ID.Organization.Name
: The organization name.Organization.Slug
: The organization slug.User.Email
: The admin user email.User.ID
: The admin user ID.User.FirstName
: The admin user first name.User.LastName
: The admin user last namek8-secret
output.--k8-secret-name
--output=k8-secret
.k8-secret
output.--k8-secret-namespace
--output=k8-secret
.k8-secret
output.--output=k8-secret
, the command creates or updates a Kubernetes secret in your cluster and logs the operation result. This is particularly useful for automated bootstrapping scenarios such as Kubernetes Jobs, GitOps workflows, or when you need to immediately store the admin credentials for use by other applications in your cluster.
--output=k8-secret
, the command must be executed from within a Kubernetes pod with proper service account permissions. The command automatically:
/var/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
KUBERNETES_SERVICE_HOST
and KUBERNETES_SERVICE_PORT_HTTPS
)k8-secret
output, the command must run within a Kubernetes pod with proper service account permissions--ignore-if-bootstrapped
flag is useful for making bootstrap scripts idempotent