The Infisical Secrets Operator is a custom Kubernetes controller that helps keep secrets in a cluster up to date by synchronizing them. It is installed in its own namespace within the cluster and follows strict RBAC policies. The operator uses InfisicalSecret custom resources to identify which secrets to sync and where to store them. It is responsible for continuously updating managed secrets, and in the future may also automatically reload deployments that use them as needed.
Install Infisical Helm repository
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' helm repo update
Install the Helm chart
helm install --generate-name infisical-helm-charts/secrets-operator
Sync Infisical Secrets to your cluster
To retrieve secrets from an Infisical project and store them in your Kubernetes cluster, you can use the InfisicalSecret custom resource.
This resource is available after installing the Infisical operator. In order to specify the Infisical Token location and the location where the retrieved secrets should be stored, you can use the
managedSecretReference fields within the InfisicalSecret resource.
apiVersion: secrets.infisical.com/v1alpha1 kind: InfisicalSecret metadata: # Name of of this InfisicalSecret resource name: infisicalsecret-sample spec: # The host that should be used to pull secrets from. The default value is https://app.infisical.com/api. hostAPI: https://app.infisical.com/api # The Kubernetes secret the stores the Infisical token tokenSecretReference: # Kubernetes secret name secretName: service-token # The secret namespace secretNamespace: default # The Kubernetes secret that Infisical Operator will create and populate with secrets from the above project managedSecretReference: # The name of managed Kubernetes secret that should be created secretName: managed-secret # The namespace the managed secret should be installed in secretNamespace: default
Verify managed secret creation
To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.
# Verify managed secret is created kubectl get secrets -n <namespace of managed secret>
The Infisical secrets will be synced and stored into the managed secret every 1 minutes.
Using managed secret in your deployment
Incorporating the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here
Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.
Enabling auto redeploy
To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret
If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
It will continue attempting to reconnect to the API indefinitely.
The InfisicalSecret resource uses the
status.conditions field to report its current state and any errors encountered.
$ kubectl get infisicalSecrets NAME AGE infisicalsecret-sample 12s $ kubectl describe infisicalSecret infisicalsecret-sample ... Spec: ... Status: Conditions: Last Transition Time: 2022-12-18T04:29:09Z Message: Infisical controller has located the Infisical token in provided Kubernetes secret Reason: OK Status: True Type: secrets.infisical.com/LoadedInfisicalToken Last Transition Time: 2022-12-18T04:29:10Z Message: Failed to update secret because: 400 Bad Request Reason: Error Status: False Type: secrets.infisical.com/ReadyToSyncSecrets Events: <none>
The managed secret created by the operator will not be deleted when the operator is uninstalled.
Install Infisical Helm repository
helm uninstall add <release name>