Kubernetes Agent Injector
How to use the Infisical Kubernetes Agent Injector to inject secrets directly into Kubernetes pods.
Overview
The Infisical Kubernetes Agent Injector allows you to inject secrets directly into your Kubernetes pods. The Injector will create a Infisical Agent container within your pod that syncs secrets from Infisical into a shared volume mount within your pod.
The Infisical Agent Injector will patch and modify your pod’s deployment to contain an Infisical Agent container which renders your Infisical secrets into a shared volume mount within your pod.
The Infisical Agent Injector is built on Kubernetes Mutating Admission Webhooks, and will watch for CREATE
and UPDATE
events on pods in your cluster.
The injector is namespace-agnostic, and will watch for pods in any namespace, but will only patch pods that have the org.infisical.com/inject
annotation set to true
.
Install the Infisical Agent Injector
To install the Infisical Agent Injector, you will need to install our helm charts using Helm.
After installing the helm chart you can verify that the injector is running and working as intended by checking the logs of the injector pod.
Supported annotations
The Infisical Agent Injector supports the following annotations:
org.infisical.com/inject
org.infisical.com/inject
The inject annotation is used to enable the injector on a pod. Set the value to true
and the pod will be patched with an Infisical Agent container on update or create.
org.infisical.com/inject-mode
org.infisical.com/inject-mode
The inject mode annotation is used to specify the mode to use to inject the secrets into the pod. Currently only init
mode is supported.
init
: The init method will create an init container for the pod that will render the secrets into a shared volume mount within the pod. The agent init container will run before any other containers in the pod runs, including other init containers.
org.infisical.com/agent-config-map
org.infisical.com/agent-config-map
The agent config map annotation is used to specify the name of the config map that contains the configuration for the injector. The config map must be in the same namespace as the pod.
ConfigMap Configuration
Supported Fields
When you are configuring a pod to use the injector, you must create a config map in the same namespace as the pod you want to inject secrets into.
The entire config needs to be of string format and needs to be assigned to the config.yaml
key in the config map. You can find a full example of the config at the end of this section.
infisical.address
infisical.address
The address of your Infisical instance. This field is optional and will default to https://app.infisical.com
if not provided.
infisical.auth.type
infisical.auth.type
The authentication type to use to connect to Infisical. Currently only the kubernetes
authentication type is supported.
You can refer to our Kubernetes Auth documentation for more information on how to create a machine identity for Kubernetes Auth.
Please note that the pod’s default service account will be used to authenticate with Infisical.
infisical.auth.config.identity-id
infisical.auth.config.identity-id
The ID of the machine identity to use to connect to Infisical. This field is required if the infisical.auth.type
is set to kubernetes
.
templates[]
templates[]
The templates hold an array of templates that will be rendered and injected into the pod.
templates[].destination-path
templates[].destination-path
The path to inject the secrets into within the pod.
If not specified, this will default to /shared/infisical-secrets
. If you have multiple templates and don’t provide a destination path, the destination paths will default to /shared/infisical-secrets-1
, /shared/infisical-secrets-2
, etc.
templates[].template-content
templates[].template-content
The content of the template to render. This will be rendered as a Go Template and will have access to the following variables. It follows the templating format and supports the same functions as the Infisical Agent
Authentication
The Infisical Agent Injector only supports Machine Identity Kubernetes Auth authentication at the moment.
To configure Kubernetes Auth, you need to set the auth.type
field to kubernetes
and set the auth.config.identity-id
to the ID of the machine identity you wish to use for authentication.
Example ConfigMap
To use the config map in your pod, you will need to add the org.infisical.com/agent-config-map
annotation to your pod’s deployment. The value of the annotation is the name of the config map you created above.
Quick Start
In this section we’ll walk through a full example of how to inject secrets into a pod using the Infisical Agent Injector.
In this example we’ll create a basic nginx deployment and print a Infisical secret called API_KEY
to the container logs.
Create secrets in Infisical
First you’ll need to create the secret in Infisical.
API_KEY
: The API key to use for the nginx deployment.
Once you’ve created the secret, save your project ID, environment slug, and secret path, as these will be used in the next step.
Configuration
To use the injector you must create a config map in the same namespace as the pod you want to inject secrets into. In this example we’ll create a config map in the test-namespace
namespace.
The agent injector will authenticate with Infisical using a Kubernetes Auth machine identity. Please follow the instructions to create a machine identity configured for Kubernetes Auth. The agent injector will use the service account token of the pod to authenticate with Infisical.
The template-content
will be rendered as a Go Template and will have access to the following variables. It follows the templating format and supports the same functions as the Infisical Agent
The destination-path
refers to the path within the pod that the secrets will be injected into. In this case we’re injecting the secrets into a file called /infisical/secrets
.
Replace the <your-project-id>
, <your-environment-slug>
, with your project ID and the environment slug of where you created your secrets in Infisical. Replace <your-infisical-machine-identity-id>
with the ID of your machine identity configured for Kubernetes Auth.
Now apply the config map:
Injecting secrets into your pod
To inject secrets into your pod, you will need to add the org.infisical.com/inject: "true"
annotation to your pod’s deployment.
The org.infisical.com/agent-config-map
annotation will point to the config map we created in the previous step. It’s important that the config map is in the same namespace as the pod.
We are creating a nginx deployment with a PVC to store the database data.
Applying the deployment
To apply the deployment, you can use the following command:
It may take a few minutes for the pod to be ready and for the Infisical secrets to be injected. You can check the status of the pod by running:
Verifying the secrets are injected
To verify the secrets are injected, you can check the pod’s logs:
Additionally you can now check that the API_KEY
secret is being logged to the nginx container logs:
Troubleshooting
The pod is stuck in `Init` state
The pod is stuck in `Init` state
If the pod is stuck in Init
state, it means the Agent init container is failing to start or is stuck in a restart loop.
This could be due to a number of reasons, such as the machine identity not having the correct permissions, or trying to fetch secrets from a non-existent project/environment.
You can check the logs of the infisical init container by running:
You can also check the logs of the pod by running:
When checking the logs of the agent init container, you may see something like the following:
In the above error, the project ID was invalid in the config map.