Learn how to use the InfisicalPushSecret CRD to push and manage secrets in Infisical.
hostAPI
hostAPI
to
https://your-self-hosted-instace.com/api
When hostAPI
is not defined the operator fetches secrets from Infisical Cloud.Advanced use case
<backend-svc-name>
and <namespace>
with the appropriate values for your backend service and namespace.resyncInterval
resyncInterval
is a string-formatted duration that defines the time between each resync. The field is optional, and will default to no automatic resync if not defined.If you don’t want to automatically reconcile the InfisicalPushSecret CRD on an interval, you can remove the resyncInterval
field entirely from your InfisicalPushSecret CRD.The format of the field is [duration][unit]
where duration
is a number and unit
is a string representing the unit of time.The following units are supported:s
for seconds (must be at least 5 seconds)m
for minutesh
for hoursd
for daysw
for weeks1m
(1 minute).Valid intervals examples:updatePolicy
None
if not defined.The update policy defines how the operator should handle conflicting secrets when pushing secrets to Infisical.Valid values are None
and Replace
.Behavior of each policy:None
: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.Replace
: The operator will replace existing secrets in Infisical with the new secrets. If a secret with the same key already exists, the operator will update the secret with the new value.deletionPolicy
None
if not defined.The deletion policy defines what the operator should do in case the InfisicalPushSecret CRD is deleted.Valid values are None
and Delete
.Behavior of each policy:None
: The operator will not delete the secrets in Infisical when the InfisicalPushSecret CRD is deleted.Delete
: The operator will delete the secrets in Infisical that are managed by the operator when the InfisicalPushSecret CRD is deleted.destination
destination
field is used to specify where you want to create the secrets in Infisical. The required fields are projectId
, environmentSlug
, and secretsPath
.destination.projectId
destination.environmentSlug
destination.secretsPath
/
.push
push
field is used to define what you want to push to Infisical. Currently the operator only supports pushing Kubernetes secrets to Infisical. An example of the push
field is shown below.secret
secret
field is used to define the Kubernetes secret you want to push to Infisical. The required fields are secretName
and secretNamespace
.Example usage of the push.secret
field:generators[]
generators[]
field is used to define the generators you want to use for your InfisicalPushSecret CRD.
You can follow the guide for using generators to push secrets for more information.Example:authentication
authentication
field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth
, kubernetesAuth
, awsIamAuth
, azureAuth
, gcpIdTokenAuth
, and gcpIamAuth
.universalAuth
identityId
: The identity ID of the machine identity you created.credentialsRef
: The name and namespace of the Kubernetes secret that stores the service token.credentialsRef.secretName
: The name of the Kubernetes secret.credentialsRef.secretNamespace
: The namespace of the Kubernetes secret.kubernetesAuth
identityId
: The identity ID of the machine identity you created.serviceAccountRef
: The name and namespace of the service account that will be used to authenticate with Infisical.serviceAccountRef.name
: The name of the service account.serviceAccountRef.namespace
: The namespace of the service account.autoCreateServiceAccountToken
: If set to true
, the operator will automatically create a short-lived service account token on-demand for the service account. Defaults to false
.serviceAccountTokenAudiences
: Optionally specify audience for the service account token. This field is only relevant if you have set autoCreateServiceAccountToken
to true
. No audience is specified by default.awsIamAuth
identityId
: The identity ID of the machine identity you created.azureAuth
identityId
: The identity ID of the machine identity you created.gcpIamAuth
identityId
: The identity ID of the machine identity you created.serviceAccountKeyFilePath
: The path to the GCP service account key file.gcpIdTokenAuth
identityId
: The identity ID of the machine identity you created.tls
caRef
secretName
: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.secretNamespace
: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.key
: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.push.secret.template
push.secret.template.includeAllSecrets
true
, all secrets included in the push.secret.secretName
Kubernetes secret will be pushed to Infisical.
Use this option when you would like to push all secrets to Infisical from the secrets operator, but want to template a subset of them.When set to false
, only secrets defined in the push.secret.template.data
field of the template will be pushed to Infisical.
Use this option when you would like to push only a subset of secrets from the Kubernetes secret to Infisical.push.secret.template.data
push.secret.secretName
Kubernetes secret.Secrets are structured as follows:ClusterGenerator
) within the cluster, which specifies the logic for generating secret values. Generators are stateless, each invocation triggers the creation of a new set of values, with no tracking or persistence of previously generated data.
Because of this behavior, you may want to disable automatic syncing for the InfisicalPushSecret
resource to avoid continuous regeneration of secrets. This can be done by omitting the resyncInterval
field from the InfisicalPushSecret CRD.
push.generators[]
field.
push.generators[]
push.generators[].destinationSecretName
push.generators[].generatorRef
kind
: The kind of the generator resource, must match the generator kind.name
: The name of the generator resource.push.generators[].generatorRef.kind
Password
UUID
push.generators[].generatorRef.name
ClusterGenerator
custom resource that can be used to customize the generated secret.
Password Generator
kind
: The kind of the generator resource, must match the generator kind. For the Password generator, the kind is Password
.generator.passwordSpec
: The spec of the password generator.generator.kind
generator.kind
field must match the kind of the generator resource. For the Password generator, the kind should always be set to Password
.generator.passwordSpec
length
: The length of the password.digits
: The number of digits in the password.symbols
: The number of symbols in the password.symbolCharacters
: The characters to use for the symbols in the password.noUpper
: Whether to include uppercase letters in the password.allowRepeat
: Whether to allow repeating characters in the password.UUID Generator
kind
: The kind of the generator resource, must match the generator kind. For the UUID generator, the kind is UUID
.generator.uuidSpec
: The spec of the UUID generator. For UUID’s, this can be left empty.generator.kind
generator.kind
field must match the kind of the generator resource. For the UUID generator, the kind should always be set to UUID
.generator.uuidSpec
InfisicalPushSecret
CRD with the required fields, you can apply it to your cluster.
After applying, you should notice that the secrets have been pushed to Infisical.