Kubernetes - Infisical

The Infisical Secrets Operator is a custom Kubernetes controller that helps keep secrets in a cluster up to date by synchronizing them. It is installed in its own namespace within the cluster and follows strict RBAC policies. The operator uses InfisicalSecret custom resources to identify which secrets to sync and where to store them. It is responsible for continuously updating managed secrets, and in the future may also automatically reload deployments that use them as needed.

Install Operator

The operator can be install via Helm or kubectl

Helm
Kubectl

Install Infisical Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
  
helm repo update

Install the Helm chart

helm install --generate-name infisical-helm-charts/secrets-operator

Sync Infisical Secrets to your cluster

To retrieve secrets from an Infisical project and store them in your Kubernetes cluster, you can use the InfisicalSecret custom resource. This resource is available after installing the Infisical operator. In order to specify the Infisical Token location and the location where the retrieved secrets should be stored, you can use the tokenSecretReference and managedSecretReference fields within the InfisicalSecret resource.


apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  # Name of of this InfisicalSecret resource
  name: infisicalsecret-sample
spec:
  # The host that should be used to pull secrets from. The default value is https://app.infisical.com/api.
  hostAPI: https://app.infisical.com/api

  # The Kubernetes secret the stores the Infisical token
  tokenSecretReference:
    # Kubernetes secret name
    secretName: service-token
    # The secret namespace
    secretNamespace: default

  # The Kubernetes secret that Infisical Operator will create and populate with secrets from the above project
  managedSecretReference:
    # The name of managed Kubernetes secret that should be created
    secretName: managed-secret
    # The namespace the managed secret should be installed in
    secretNamespace: default

The tokenSecretReference field in the InfisicalSecret resource is used to specify the location of the Infisical Token, which is required for authenticating and retrieving secrets from an Infisical project.

To create a Kubernetes secret containing an Infisical Token, you can run the command below.

kubectl create secret generic service-token --from-literal=infisicalToken=<infisical-token-here>

Once the secret is created, add the name and namespace of the secret under tokenSecretReference field in the InfisicalSecret custom resource.

No matter what the name of the secret is or its namespace, it must contain a key named infisicalToken with a valid Infisical Token as the value

Verify managed secret creation

To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.

# Verify managed secret is created
kubectl get secrets -n <namespace of managed secret>

The Infisical secrets will be synced and stored into the managed secret every 1 minutes.

Using managed secret in your deployment

Incorporating the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here

This will take all the secrets from your managed secret and expose them to your container

  envFrom:
    - secretRef:
        name: managed-secret # managed secret name

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
  app: nginx
spec:
replicas: 1
selector:
  matchLabels:
    app: nginx
template:
  metadata:
    labels:
      app: nginx
  spec:
    containers:
    - name: nginx
      image: nginx:1.14.2
      envFrom:
      - secretRef:
          name: managed-secret # <- name of managed secret
      ports:
      - containerPort: 80

This will allow you to select individual secrets by key name from your managed secret and expose them to your container

env:
  - name: SECRET_NAME # The environment variable's name which is made available in the container
    valueFrom:
      secretKeyRef:
        name: managed-secret # managed secret name
        key: SOME_SECRET_KEY # The name of the key which  exists in the managed secret

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
  app: nginx
spec:
replicas: 1
selector:
  matchLabels:
    app: nginx
template:
  metadata:
    labels:
      app: nginx
  spec:
    containers:
    - name: nginx
      image: nginx:1.14.2
      env:
        - name: STRIPE_API_SECRET 
          valueFrom:
            secretKeyRef:
              name: managed-secret # <- name of managed secret
              key: STRIPE_API_SECRET
      ports:
      - containerPort: 80

This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret

volumes:
  - name: secrets-volume-name # The name of the volume under which secrets will be stored
    secret:
      secretName: managed-secret # managed secret name

You can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secrets

volumeMounts:
  - name: secrets-volume-name
    mountPath: /etc/secrets
    readOnly: true

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        volumeMounts:
        - name: secrets-volume-name
          mountPath: /etc/secrets
          readOnly: true
        ports:
        - containerPort: 80
      volumes:
      - name: secrets-volume-name
        secret:
          secretName: managed-secret # <- managed secrets

Auto redeployment

Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.

Enabling auto redeploy

To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret

secrets.infisical.com/auto-reload: "true"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
  annotations: 
    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        envFrom:
        - secretRef:
            name: managed-secret
        ports:
        - containerPort: 80

Troubleshoot

If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret. It will continue attempting to reconnect to the API indefinitely. The InfisicalSecret resource uses the status.conditions field to report its current state and any errors encountered.

$ kubectl get infisicalSecrets
NAME                     AGE
infisicalsecret-sample   12s

$ kubectl describe infisicalSecret infisicalsecret-sample
...
Spec:
...
Status:
  Conditions:
    Last Transition Time:  2022-12-18T04:29:09Z
    Message:               Infisical controller has located the Infisical token in provided Kubernetes secret
    Reason:                OK
    Status:                True
    Type:                  secrets.infisical.com/LoadedInfisicalToken
    Last Transition Time:  2022-12-18T04:29:10Z
    Message:               Failed to update secret because: 400 Bad Request
    Reason:                Error
    Status:                False
    Type:                  secrets.infisical.com/ReadyToSyncSecrets
Events:                    <none>

Uninstall Operator

The managed secret created by the operator will not be deleted when the operator is uninstalled.

Helm
Kubectl

Install Infisical Helm repository

helm uninstall add <release name>

​Install Operator

Helm

Kubectl

​Sync Infisical Secrets to your cluster

​Verify managed secret creation

​Using managed secret in your deployment

​Auto redeployment

​Enabling auto redeploy

​Troubleshoot

​Uninstall Operator

Helm

Kubectl

Install Operator

Sync Infisical Secrets to your cluster

Verify managed secret creation

Using managed secret in your deployment

Auto redeployment

Enabling auto redeploy

Troubleshoot

Uninstall Operator