Infisical home pagelight logo
Getting Started
Kubernetes

The Infisical Secrets Operator fetches secrets from Infisical and saves them as Kubernetes secrets using the custom InfisicalSecret resource to define authentication and storage methods. The operator updates secrets continuously and can reload dependent deployments automatically on secret changes.

Prerequisites:

  • Connected to your cluster via kubectl
  • Have a project with secrets ready in Infisical Cloud.
  • Create an Infisical Token scoped to an environment in your project in Infisical.

Installation

Follow the instructions for either Helm or kubectl to install the Infisical Secrets Operator.

  • Helm

  • Kubectl

Install the Infisical Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 

helm repo update

Install the Helm chart

helm install --generate-name infisical-helm-charts/secrets-operator

Usage

Step 1: Create Kubernetes secret containing service token

Once you have generated the service token, create a Kubernetes secret containing the service token you generated by running the command below.

kubectl create secret generic service-token --from-literal=infisicalToken=<your-service-token-here>

Step 2: Fill out the InfisicalSecrets CRD and apply it to your cluster

infisical-secrets-config.yaml
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  # Name of of this InfisicalSecret resource
  name: infisicalsecret-sample
spec:
  # The host that should be used to pull secrets from. If left empty, the value specified in Global configuration will be used
  hostAPI: https://app.infisical.com/api
  authentication:
    serviceToken: 
      serviceTokenSecretReference: # <-- The secret's namespaced name that holds the project token for authentication in step 1
        secretName: service-token
        secretNamespace: option
  managedSecretReference: 
    secretName: managed-secret # <-- the name of kubernetes secret that will be created
    secretNamespace: default # <-- in what namespace it will be created in

kubectl apply -f infisical-secrets-config.yaml

You should now see a new kubernetes secret automatically created in the namespace you defined in the managedSecretReference property above.

See also: