Overview

The InfisicalPushSecret CRD allows you to create secrets in your Kubernetes cluster and push them to Infisical.

This CRD offers the following features:

  • Push Secrets from a Kubernetes secret into Infisical.
  • Manage secret lifecycle of pushed secrets in Infisical. When the Kubernetes secret is updated, the operator will automatically update the secrets in Infisical. Optionally, when the Kubernetes secret is deleted, the operator will delete the secrets in Infisical automatically.

Prerequisites

  • A project within Infisical.
  • A machine identity ready for use in Infisical that has permissions to create secrets in your project.
  • The operator is installed on to your Kubernetes cluster.

Example usage

Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.

After filling out the fields in the InfisicalPushSecret CRD, you can apply it directly to your cluster.

Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes secret containing the secrets you want to push to Infisical. An example can be seen below the InfisicalPushSecret CRD.

infisical-push-secret.yaml
  apiVersion: secrets.infisical.com/v1alpha1
  kind: InfisicalPushSecret
  metadata:
    name: infisical-push-secret-demo
  spec:
    resyncInterval: 1m # Remove this field to disable automatic reconciliation of the InfisicalPushSecret CRD.
    hostAPI: https://app.infisical.com/api

    # Optional, defaults to no replacement.
    updatePolicy: Replace # If set to replace, existing secrets inside Infisical will be replaced by the value of the PushSecret on sync.

    # Optional, defaults to no deletion.
    deletionPolicy: Delete # If set to delete, the secret(s) inside Infisical managed by the operator, will be deleted if the InfisicalPushSecret CRD is deleted.

    destination:
      projectId: <project-id>
      environmentSlug: <env-slug>
      secretsPath: <secret-path>

    push:
      secret:
        secretName: push-secret-demo # Secret CRD
        secretNamespace: default

    # Only have one authentication method defined or you are likely to run into authentication issues.
    # Remove all except one authentication method.
    authentication:
      awsIamAuth:
        identityId: <machine-identity-id>
      azureAuth:
        identityId: <machine-identity-id>
      gcpIamAuth:
        identityId: <machine-identity-id>
        serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
      gcpIdTokenAuth:
        identityId: <machine-identity-id>
      kubernetesAuth:
        identityId: <machine-identity-id>
        serviceAccountRef:
          name: <secret-name>
          namespace: <secret-namespace>
      universalAuth:
        credentialsRef:
          secretName: <secret-name> # universal-auth-credentials
          secretNamespace: <secret-namespace> # default
source-secret.yaml
  apiVersion: v1
  kind: Secret
  metadata:
    name: push-secret-demo
    namespace: default
  stringData: # can also be "data", but needs to be base64 encoded
    API_KEY: some-api-key
    DATABASE_URL: postgres://127.0.0.1:5432
    ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
  kubectl apply -f source-secret.yaml

After applying the soruce-secret.yaml file, you are ready to apply the InfisicalPushSecret CRD.

  kubectl apply -f infisical-push-secret.yaml

After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.

InfisicalPushSecret CRD properties

Using templating to push secrets

Pushing secrets to Infisical from the operator may not always be enough. Templating is a useful utility of the Infisical secrets operator that allows you to use Go Templating to template the secrets you want to push to Infisical. Using Go templates, you can format, combine, and create new key-value pairs of secrets that you want to push to Infisical.

Using generators to push secrets

Generators allow secrets to be dynamically generated during each reconciliation cycle and then pushed to Infisical. They are useful for use cases where a new secret value is needed on every sync, such as ephemeral credentials or one-time-use tokens.

A generator is defined as a custom resource (ClusterGenerator) within the cluster, which specifies the logic for generating secret values. Generators are stateless, each invocation triggers the creation of a new set of values, with no tracking or persistence of previously generated data.

Because of this behavior, you may want to disable automatic syncing for the InfisicalPushSecret resource to avoid continuous regeneration of secrets. This can be done by omitting the resyncInterval field from the InfisicalPushSecret CRD.

Example usage

  push:
    secret:
      secretName: push-secret-source-secret
      secretNamespace: dev
    generators:
      - destinationSecretName: password-generator # Name of the secret that will be created in Infisical
        generatorRef:
          kind: Password # Kind of the resource, must match the generator kind.
          name: custom-generator # Name of the generator resource

To use a generator, you must specify at least one generator in the push.generators[] field.

Supported Generators

Below are the currently supported generators for the InfisicalPushSecret CRD. Each generator is a ClusterGenerator custom resource that can be used to customize the generated secret.

Applying the InfisicalPushSecret CRD to your cluster

Once you have configured the InfisicalPushSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that the secrets have been pushed to Infisical.

  kubectl apply -f source-push-secret.yaml # The secret that you're referencing in the InfisicalPushSecret CRD push.secret field
  kubectl apply -f example-infisical-push-secret-crd.yaml # The InfisicalPushSecret CRD itself