Using the InfisicalPushSecret CRD
Learn how to use the InfisicalPushSecret CRD to push and manage secrets in Infisical.
Overview
The InfisicalPushSecret CRD allows you to create secrets in your Kubernetes cluster and push them to Infisical.
This CRD offers the following features:
- Push Secrets from a Kubernetes secret into Infisical.
- Manage secret lifecycle of pushed secrets in Infisical. When the Kubernetes secret is updated, the operator will automatically update the secrets in Infisical. Optionally, when the Kubernetes secret is deleted, the operator will delete the secrets in Infisical automatically.
Prerequisites
- A project within Infisical.
- A machine identity ready for use in Infisical that has permissions to create secrets in your project.
- The operator is installed on to your Kubernetes cluster.
Example usage
Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.
After filling out the fields in the InfisicalPushSecret CRD, you can apply it directly to your cluster.
Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes secret containing the secrets you want to push to Infisical. An example can be seen below the InfisicalPushSecret CRD.
After applying the soruce-secret.yaml file, you are ready to apply the InfisicalPushSecret CRD.
After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.
InfisicalPushSecret CRD properties
hostAPI
hostAPI
If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI
to
https://your-self-hosted-instace.com/api
When hostAPI
is not defined the operator fetches secrets from Infisical Cloud.
Advanced use case
Advanced use case
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:
Make sure to replace <backend-svc-name>
and <namespace>
with the appropriate values for your backend service and namespace.
resyncInterval
resyncInterval
The resyncInterval
is a string-formatted duration that defines the time between each resync. The field is optional, and will default to no automatic resync if not defined.
If you don’t want to automatically reconcile the InfisicalPushSecret CRD on an interval, you can remove the resyncInterval
field entirely from your InfisicalPushSecret CRD.
The format of the field is [duration][unit]
where duration
is a number and unit
is a string representing the unit of time.
The following units are supported:
s
for seconds (must be at least 5 seconds)m
for minutesh
for hoursd
for daysw
for weeks
The default value is 1m
(1 minute).
Valid intervals examples:
updatePolicy
updatePolicy
The field is optional and will default to None
if not defined.
The update policy defines how the operator should handle conflicting secrets when pushing secrets to Infisical.
Valid values are None
and Replace
.
Behavior of each policy:
None
: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.Replace
: The operator will replace existing secrets in Infisical with the new secrets. If a secret with the same key already exists, the operator will update the secret with the new value.
deletionPolicy
deletionPolicy
This field is optional and will default to None
if not defined.
The deletion policy defines what the operator should do in case the InfisicalPushSecret CRD is deleted.
Valid values are None
and Delete
.
Behavior of each policy:
None
: The operator will not delete the secrets in Infisical when the InfisicalPushSecret CRD is deleted.Delete
: The operator will delete the secrets in Infisical that are managed by the operator when the InfisicalPushSecret CRD is deleted.
destination
destination
The destination
field is used to specify where you want to create the secrets in Infisical. The required fields are projectId
, environmentSlug
, and secretsPath
.
destination.projectId
destination.projectId
The project ID where you want to create the secrets in Infisical.
destination.environmentSlug
destination.environmentSlug
The environment slug where you want to create the secrets in Infisical.
destination.secretsPath
destination.secretsPath
The path where you want to create the secrets in Infisical. The root path is /
.
push
push
The push
field is used to define what you want to push to Infisical. Currently the operator only supports pushing Kubernetes secrets to Infisical. An example of the push
field is shown below.
secret
secret
The secret
field is used to define the Kubernetes secret you want to push to Infisical. The required fields are secretName
and secretNamespace
.
Example usage of the push.secret
field:
generators[]
generators[]
The generators[]
field is used to define the generators you want to use for your InfisicalPushSecret CRD.
You can follow the guide for using generators to push secrets for more information.
Example:
authentication
authentication
The authentication
field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth
, kubernetesAuth
, awsIamAuth
, azureAuth
, gcpIdTokenAuth
, and gcpIamAuth
.
universalAuth
universalAuth
The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider. Read more about Universal Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.credentialsRef
: The name and namespace of the Kubernetes secret that stores the service token.credentialsRef.secretName
: The name of the Kubernetes secret.credentialsRef.secretNamespace
: The namespace of the Kubernetes secret.
Example:
kubernetesAuth
kubernetesAuth
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalPushSecret resource. This authentication method can only be used within a Kubernetes environment. Read more about Kubernetes Auth. Valid fields:
identityId
: The identity ID of the machine identity you created.serviceAccountRef
: The name and namespace of the service account that will be used to authenticate with Infisical.serviceAccountRef.name
: The name of the service account.serviceAccountRef.namespace
: The namespace of the service account.autoCreateServiceAccountToken
: If set totrue
, the operator will automatically create a short-lived service account token on-demand for the service account. Defaults tofalse
.serviceAccountTokenAudiences
: Optionally specify audience for the service account token. This field is only relevant if you have setautoCreateServiceAccountToken
totrue
. No audience is specified by default.
Example:
awsIamAuth
awsIamAuth
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Read more about AWS IAM Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.
Example:
azureAuth
azureAuth
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment. Read more about Azure Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.
Example:
gcpIamAuth
gcpIamAuth
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalPushSecret resource. This authentication method can only be used both within and outside GCP environments. Read more about Azure Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.serviceAccountKeyFilePath
: The path to the GCP service account key file.
Example:
gcpIdTokenAuth
gcpIdTokenAuth
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalPushSecret resource. This authentication method can only be used within GCP environments. Read more about Azure Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.
Example:
tls
tls
This block defines the TLS settings to use for connecting to the Infisical instance.
Fields:
caRef
caRef
This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Valid fields:
secretName
: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.secretNamespace
: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.key
: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Example:
Using templating to push secrets
Pushing secrets to Infisical from the operator may not always be enough. Templating is a useful utility of the Infisical secrets operator that allows you to use Go Templating to template the secrets you want to push to Infisical. Using Go templates, you can format, combine, and create new key-value pairs of secrets that you want to push to Infisical.
push.secret.template
push.secret.template
push.secret.template.includeAllSecrets
push.secret.template.includeAllSecrets
This property controls what secrets are included in your push to Infisica.
When set to true
, all secrets included in the push.secret.secretName
Kubernetes secret will be pushed to Infisical.
Use this option when you would like to push all secrets to Infisical from the secrets operator, but want to template a subset of them.
When set to false
, only secrets defined in the push.secret.template.data
field of the template will be pushed to Infisical.
Use this option when you would like to push only a subset of secrets from the Kubernetes secret to Infisical.
push.secret.template.data
push.secret.template.data
Define secret keys and their corresponding templates.
Each data value uses a Golang template with access to all secrets defined in the push.secret.secretName
Kubernetes secret.
Secrets are structured as follows:
Example template configuration:
To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
Available templating functions
Please refer to the templating functions documentation for more information.
Using generators to push secrets
Generators allow secrets to be dynamically generated during each reconciliation cycle and then pushed to Infisical. They are useful for use cases where a new secret value is needed on every sync, such as ephemeral credentials or one-time-use tokens.
A generator is defined as a custom resource (ClusterGenerator
) within the cluster, which specifies the logic for generating secret values. Generators are stateless, each invocation triggers the creation of a new set of values, with no tracking or persistence of previously generated data.
Because of this behavior, you may want to disable automatic syncing for the InfisicalPushSecret
resource to avoid continuous regeneration of secrets. This can be done by omitting the resyncInterval
field from the InfisicalPushSecret CRD.
Example usage
To use a generator, you must specify at least one generator in the push.generators[]
field.
push.generators[]
push.generators[]
This field holds an array of the generators you want to use for your InfisicalPushSecret CRD.
push.generators[].destinationSecretName
push.generators[].destinationSecretName
The name of the secret that will be created in Infisical.
push.generators[].generatorRef
push.generators[].generatorRef
The reference to the generator resource.
Valid fields:
kind
: The kind of the generator resource, must match the generator kind.name
: The name of the generator resource.
push.generators[].generatorRef.kind
push.generators[].generatorRef.kind
The kind of the generator resource, must match the generator kind.
Valid values:
Password
UUID
push.generators[].generatorRef.name
push.generators[].generatorRef.name
The name of the generator resource.
Supported Generators
Below are the currently supported generators for the InfisicalPushSecret CRD. Each generator is a ClusterGenerator
custom resource that can be used to customize the generated secret.
Password Generator
Password Generator
Password Generator
The Password generator is a custom resource that is installed on the cluster that defines the logic for generating a password.
kind
: The kind of the generator resource, must match the generator kind. For the Password generator, the kind isPassword
.generator.passwordSpec
: The spec of the password generator.
generator.kind
generator.kind
The generator.kind
field must match the kind of the generator resource. For the Password generator, the kind should always be set to Password
.
generator.passwordSpec
generator.passwordSpec
length
: The length of the password.digits
: The number of digits in the password.symbols
: The number of symbols in the password.symbolCharacters
: The characters to use for the symbols in the password.noUpper
: Whether to include uppercase letters in the password.allowRepeat
: Whether to allow repeating characters in the password.
Example InfisicalPushSecret CRD using the Password generator:
UUID Generator
UUID Generator
UUID Generator
The UUID generator is a custom resource that is installed on the cluster that defines the logic for generating a UUID.
kind
: The kind of the generator resource, must match the generator kind. For the UUID generator, the kind isUUID
.generator.uuidSpec
: The spec of the UUID generator. For UUID’s, this can be left empty.
generator.kind
generator.kind
The generator.kind
field must match the kind of the generator resource. For the UUID generator, the kind should always be set to UUID
.
generator.uuidSpec
generator.uuidSpec
The spec of the UUID generator. For UUID’s, this can be left empty.
Example InfisicalPushSecret CRD using the UUID generator:
Applying the InfisicalPushSecret CRD to your cluster
Once you have configured the InfisicalPushSecret
CRD with the required fields, you can apply it to your cluster.
After applying, you should notice that the secrets have been pushed to Infisical.