Getting Started

The Infisical Secrets Operator fetches secrets from Infisical and saves them as Kubernetes secrets using the custom InfisicalSecret resource to define authentication and storage methods. The operator updates secrets continuously and can reload dependent deployments automatically on secret changes.


  • Connected to your cluster via kubectl
  • Have a project with secrets ready in Infisical Cloud.
  • Create an Infisical Token scoped to an environment in your project in Infisical.


Follow the instructions for either Helm or kubectl to install the Infisical Secrets Operator.

  • Helm

  • Kubectl

Install the Infisical Helm repository

helm repo add infisical-helm-charts '' 

helm repo update

Install the Helm chart

helm install --generate-name infisical-helm-charts/secrets-operator


Step 1: Create Kubernetes secret containing service token

Once you have generated the service token, create a Kubernetes secret containing the service token you generated by running the command below.

kubectl create secret generic service-token --from-literal=infisicalToken=<your-service-token-here> 

Step 2: Fill out the InfisicalSecrets CRD and apply it to your cluster

kind: InfisicalSecret
  # Name of of this InfisicalSecret resource
  name: infisicalsecret-sample
  # The host that should be used to pull secrets from. If left empty, the value specified in Global configuration will be used
      serviceTokenSecretReference: # <-- The secret's namespaced name that holds the project token for authentication in step 1
        secretName: service-token
        secretNamespace: option
    secretName: managed-secret # <-- the name of kubernetes secret that will be created
    secretNamespace: default # <-- in what namespace it will be created in
kubectl apply -f infisical-secrets-config.yaml

You should now see a new kubernetes secret automatically created in the namespace you defined in the managedSecretReference property above.

See also: