Kubernetes
The Infisical Secrets Operator fetches secrets from Infisical and saves them as Kubernetes secrets using the custom InfisicalSecret
resource to define authentication and storage methods.
The operator updates secrets continuously and can reload dependent deployments automatically on secret changes.
Prerequisites:
- Connected to your cluster via kubectl
- Have a project with secrets ready in Infisical Cloud.
- Create an Infisical Token scoped to an environment in your project in Infisical.
Installation
Follow the instructions for either Helm or kubectl to install the Infisical Secrets Operator.
Helm
Kubectl
Install the Infisical Helm repository
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
helm repo update
Install the Helm chart
helm install --generate-name infisical-helm-charts/secrets-operator
Usage
Step 1: Create Kubernetes secret containing service token
Once you have generated the service token, create a Kubernetes secret containing the service token you generated by running the command below.
kubectl create secret generic service-token --from-literal=infisicalToken=<your-service-token-here>
Step 2: Fill out the InfisicalSecrets CRD and apply it to your cluster
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
# Name of of this InfisicalSecret resource
name: infisicalsecret-sample
spec:
# The host that should be used to pull secrets from. If left empty, the value specified in Global configuration will be used
hostAPI: https://app.infisical.com/api
authentication:
serviceToken:
serviceTokenSecretReference: # <-- The secret's namespaced name that holds the project token for authentication in step 1
secretName: service-token
secretNamespace: option
managedSecretReference:
secretName: managed-secret # <-- the name of kubernetes secret that will be created
secretNamespace: default # <-- in what namespace it will be created in
kubectl apply -f infisical-secrets-config.yaml
You should now see a new kubernetes secret automatically created in the namespace you defined in the managedSecretReference
property above.
See also: