Integrations
Kubernetes

title

The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets from Infisical and stores them in a designated cluster. It uses an InfisicalSecret resource to specify authentication and storage methods. The operator continuously updates secrets and can also reload dependent deployments automatically.

Install Operator

The operator can be install via Helm or kubectl

  • Helm

  • Kubectl

Install Infisical Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
  
helm repo update

Install the Helm chart

helm install --generate-name infisical-helm-charts/secrets-operator

Sync Infisical Secrets to your cluster

To retrieve secrets from an Infisical project and save them as native Kubernetes secrets within a specific namespace, utilize the InfisicalSecret custom resource definition (CRD). This resource can be created after installing the Infisical operator. For each new managed secret, you will need to create a new InfisicalSecret CRD.

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  # Name of of this InfisicalSecret resource
  name: infisicalsecret-sample
spec:
  # The host that should be used to pull secrets from. If left empty, the value specified in Global configuration will be used
  hostAPI: https://app.infisical.com/api
  authentication:
    serviceToken: # <-- option 1
      serviceTokenSecretReference:
        secretName: service-token
        secretNamespace: option
    serviceAccount: # <-- method 2
      serviceAccountSecretReference:
        secretName: service-account
        secretNamespace: default
      projectId: "6439ec224cfbf7ea2a95b651"
      environmentName: "dev"
  managedSecretReference:
    secretName: managed-secret # <-- the name of kubernetes secret that will be created
    secretNamespace: default # <-- where the kubernetes secret that will be created

InfisicalSecret CRD properties

Verify managed secret creation

To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.

# Verify managed secret is created
kubectl get secrets -n <namespace of managed secret>

The Infisical secrets will be synced and stored into the managed secret every 1 minutes.

Using managed secret in your deployment

Incorporating the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here

Auto redeployment

Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.

Enabling auto redeploy

To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret

secrets.infisical.com/auto-reload: "true"

Global configuration

To configure global settings that will apply to all instances of InfisicalSecret, you can define these configurations in a Kubernetes ConfigMap. For example, you can configure all InfisicalSecret instances to fetch secrets from a single backend API without specifying the hostAPI parameter for each instance.

Available global properties

PropertyDescriptionDefault value
hostAPIIf hostAPI in InfisicalSecret instance is left empty, this value will be usedhttps://app.infisical.com/api

Applying global configurations

All global configurations must reside in a Kubernetes ConfigMap named infisical-config in the namespace infisical-operator-system. To apply global configuration to the operator, copy the following yaml into infisical-config.yaml file.

infisical-config.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: infisical-operator-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: infisical-config
  namespace: infisical-operator-system
data:
  hostAPI: https://example.com/api # <-- global hostAPI

Then apply this change via kubectl by running the following

kubectl apply -f infisical-config.yaml 

Troubleshoot operator

If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret. It will continue attempting to reconnect to the API indefinitely. The InfisicalSecret resource uses the status.conditions field to report its current state and any errors encountered.

$ kubectl get infisicalSecrets
NAME                     AGE
infisicalsecret-sample   12s

$ kubectl describe infisicalSecret infisicalsecret-sample
...
Spec:
...
Status:
  Conditions:
    Last Transition Time:  2022-12-18T04:29:09Z
    Message:               Infisical controller has located the Infisical token in provided Kubernetes secret
    Reason:                OK
    Status:                True
    Type:                  secrets.infisical.com/LoadedInfisicalToken
    Last Transition Time:  2022-12-18T04:29:10Z
    Message:               Failed to update secret because: 400 Bad Request
    Reason:                Error
    Status:                False
    Type:                  secrets.infisical.com/ReadyToSyncSecrets
Events:                    <none>

Uninstall Operator

The managed secret created by the operator will not be deleted when the operator is uninstalled.

  • Helm

  • Kubectl

Install Infisical Helm repository

helm uninstall <release name>