Using the InfisicalSecret CRD

Once you have installed the operator to your cluster, you’ll need to create a InfisicalSecret custom resource definition (CRD). In this CRD, you’ll define the authentication method to use, the secrets to fetch, and the target location to store the secrets within your cluster.

example-infisical-secret-crd.yaml

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample
  labels:
    label-to-be-passed-to-managed-secret: sample-value
  annotations:
    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
  hostAPI: https://app.infisical.com/api
  resyncInterval: 10
  authentication:
    kubernetesAuth:
      identityId: <machine-identity-id>
      serviceAccountRef:
        name: <service-account-name>
        namespace: <service-account-namespace>

  managedKubeSecretReferences:
    - secretName: managed-secret
      secretNamespace: default
      creationPolicy: "Orphan"
      template:
        includeAllSecrets: true
        data:
          NEW_KEY_NAME: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"
          KEY_WITH_BINARY_VALUE: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"

CRD properties

Generic

The following properties help define what instance of Infisical the operator will interact with, the interval it will sync secrets and any CA certificates that may be required to connect.

hostAPI

If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI to https://your-self-hosted-instace.com/apiWhen hostAPI is not defined the operator fetches secrets from Infisical Cloud.

Advanced use case

If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:

http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api

Make sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.

resyncInterval

tls

tls.caRef

tls.caRef.secretName

tls.caRef.secretNamespace

tls.caRef.key

Authentication Methods

To retrieve the requested secrets, the operator must first authenticate with Infisical. The list of available authentication methods are shown below.

authentication

authentication.universalAuth

The universal machine identity authentication method is used to authenticate with Infisical. The client ID and client secret needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.

Create a machine identity

You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.

Create Kubernetes secret containing machine identity credentials

Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials. To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.Make sure you replace <your-identity-client-id> with the identity client ID and <your-identity-client-secret> with the identity client secret.

  kubectl create secret generic universal-auth-credentials --from-literal=clientId="<your-identity-client-id>" --from-literal=clientSecret="<your-identity-client-secret>"

Add reference for the Kubernetes secret containing the identity credentials

Once the secret is created, add the secretName and secretNamespace of the secret that was just created under authentication.universalAuth.credentialsRef field in the InfisicalSecret resource.

Make sure to also populate the secretsScope field with the project slug projectSlug, environment slug envSlug, and secrets path secretsPath that you want to fetch secrets from. Please see the example below.

Example

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
      universalAuth:
          secretsScope:
              projectSlug: <project-slug> # <-- project slug
              envSlug: <env-slug> # "dev", "staging", "prod", etc..
              secretsPath: "<secrets-path>" # Root is "/"
          credentialsRef:
              secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
              secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials
  ...

authentication.kubernetesAuth

The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.

Short-lived service account tokens are automatically created by the operator and are valid only for a short period of time. This is the recommended approach for using Kubernetes auth in the Infisical Secrets Operator.

Obtaining the token reviewer JWT for Infisical

1.1. Start by creating a reviewer service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.

infisical-reviewer-service-account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: infisical-token-reviewer
  namespace: default

kubectl apply -f infisical-reviewer-service-account.yaml

1.2. Bind the reviewer service account to the system:auth-delegator cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Infisical to access the TokenReview API. You can apply the following configuration file:

infisical-reviewer-cluster-role-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: infisical-token-reviewer-role-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: infisical-token-reviewer
    namespace: default

kubectl apply -f infisical-reviewer-cluster-role-binding.yaml

1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new Secret resource:

service-account-reviewer-token.yaml

  apiVersion: v1
  kind: Secret
  type: kubernetes.io/service-account-token
  metadata:
    name: infisical-token-reviewer-token
    annotations:
      kubernetes.io/service-account.name: "infisical-token-reviewer"

kubectl apply -f service-account-reviewer-token.yaml

1.4. Link the secret in step 1.3 to the service account in step 1.1:

kubectl patch serviceaccount infisical-token-reviewer -p '{"secrets": [{"name": "infisical-token-reviewer-token"}]}' -n default

1.5. Finally, retrieve the token reviewer JWT token from the secret.

kubectl get secret infisical-token-reviewer-token -n default -o=jsonpath='{.data.token}' | base64 --decode

Keep this JWT token handy as you will need it for the Token Reviewer JWT field when configuring the Kubernetes Auth authentication method for the identity in step 2.

Creating an identity

To create an identity, head to your Organization Settings > Access Control > Identities and press Create identity. identities organization

When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles. identities organization create

Now input a few details for your new identity. Here’s some guidance for each field:

Name (required): A friendly name for the identity.
Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.

Once you’ve created an identity, you’ll be prompted to configure the authentication method for it. Here, select Kubernetes Auth.

To learn more about each field of the Kubernetes native authentication method, see step 2 of guide.

identities organization create auth method

Adding an identity to a project

To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press Add identity.Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to. identities project

Create a new Kubernetes service account to authenticate with Infisical

You have already created the reviewer service account in step 1.1. Now, create a new Kubernetes service account that will be used to authenticate with Infisical. This service account will create short-lived tokens that will be used to authenticate with Infisical. The operator itself will handle the creation of these tokens automatically.

infisical-service-account.yaml

kind: ServiceAccount
apiVersion: v1
metadata:
  name: infisical-service-account

kubectl apply -f infisical-service-account.yaml -n default

Add your identity ID & service account to your InfisicalSecret resource

Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.kubernetesAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.

Add your Kubernetes service account token to the InfisicalSecret resource

Add the service account details from the previous steps under authentication.kubernetesAuth.serviceAccountRef. Here you will need to enter the name and namespace of the service account. The example below shows a complete InfisicalSecret resource with all required fields defined. Make sure you set authentication.kubernetesAuth.autoCreateServiceAccountToken to true to automatically create short-lived service account tokens for the service account.

Example

example-kubernetes-auth.yaml

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
      kubernetesAuth:
          identityId: <machine-identity-id>
          autoCreateServiceAccountToken: true # Automatically creates short-lived service account tokens for the service account.
          serviceAccountTokenAudiences:
            - <audience> # Optionally specify audience for the service account token. No audience is specified by default.
          serviceAccountRef:
            name: infisical-service-account # The service account we just created in the previous step.
            namespace: <service-account-namespace>

          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
          secretsScope:
              projectSlug: your-project-slug
              envSlug: prod
              secretsPath: "/path"
              recursive: true
  ...

authentication.awsIamAuth

The AWS IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an AWS environment like an EC2 or a Lambda function.

Create a machine identity

You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about AWS machine identities here.

Add your identity ID to your InfisicalSecret resource

Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.awsIamAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.

Example

example-aws-iam-auth.yaml

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
      awsIamAuth:
          identityId: <your-machine-identity-id>

          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
          secretsScope:
              projectSlug: your-project-slug
              envSlug: prod
              secretsPath: "/path"
              recursive: true
  ...

authentication.azureAuth

The Azure machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an Azure environment.

Create a machine identity

You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about Azure machine identities here.

Add your identity ID to your InfisicalSecret resource

Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.azureAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.

Example

example-azure-auth.yaml

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
      azureAuth:
          identityId: <your-machine-identity-id>

          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
          secretsScope:
              projectSlug: your-project-slug
              envSlug: prod
              secretsPath: "/path"
              recursive: true
  ...

authentication.gcpIdTokenAuth

The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.

Create a machine identity

You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.

Add your identity ID to your InfisicalSecret resource

Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.gcpIdTokenAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.

Example

example-gcp-id-token-auth.yaml

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
      gcpIdTokenAuth:
          identityId: <your-machine-identity-id>

          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
          secretsScope:
              projectSlug: your-project-slug
              envSlug: prod
              secretsPath: "/path"
              recursive: true
  ...

authentication.gcpIamAuth

The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.

Create a machine identity

You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.

Add your identity ID and service account token path to your InfisicalSecret resource

Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the authentication.gcpIamAuth.identityId field, add the identity ID of the machine identity you created. You’ll also need to add the service account key file path to your InfisicalSecret resource. In the authentication.gcpIamAuth.serviceAccountKeyFilePath field, add the path to your service account key file path. Please see the example below for more details.

Example

example-gcp-id-token-auth.yaml

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
      gcpIamAuth:
          identityId: <your-machine-identity-id>
          serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json"

          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
          secretsScope:
              projectSlug: your-project-slug
              envSlug: prod
              secretsPath: "/path"
              recursive: true
  ...

authentication.ldapAuth

The LDAP machine identity authentication method is used to authenticate with Infisical using the configured LDAP directory. The username and password needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.

Create a machine identity

You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.

Create Kubernetes secret containing machine identity credentials

Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials. To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.Make sure you replace <your-identity-ldap-username> with the identity LDAP username and <your-identity-ldap-password> with the identity LDAP password.

  kubectl create secret generic ldap-auth-credentials --from-literal=username="<your-identity-ldap-username>" --from-literal=password="<your-identity-ldap-password>"

Add reference for the Kubernetes secret containing the identity credentials

Once the secret is created, add the secretName and secretNamespace of the secret that was just created under authentication.ldapAuth.credentialsRef field in the InfisicalSecret resource.

Example

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
    ldapAuth:
      secretsScope:
        projectSlug: <project-slug> # <-- project slug
        envSlug: <env-slug> # "dev", "staging", "prod", etc..
        secretsPath: "<secrets-path>" # Root is "/"
      identityId: <machine-identity-id>
      credentialsRef:
        secretName: ldap-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
        secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials

authentication.serviceToken

The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token. Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.

1. Generate service token

You can generate a service token for an Infisical project by heading over to the Infisical dashboard then to Project Settings.

2. Create Kubernetes secret containing service token

Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated. To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace <your-service-token-here> with your service token.

kubectl create secret generic service-token --from-literal=infisicalToken="<your-service-token-here>"

3. Add reference for the Kubernetes secret containing service token

Once the secret is created, add the name and namespace of the secret that was just created under authentication.serviceToken.serviceTokenSecretReference field in the InfisicalSecret resource.

Make sure to also populate the secretsScope field with the, environment slug envSlug, and secrets path secretsPath that you want to fetch secrets from. Please see the example below.

Example

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample-crd
spec:
  authentication:
    serviceToken:
      serviceTokenSecretReference:
        secretName: service-token # <-- name of the Kubernetes secret that stores our service token
        secretNamespace: option # <-- namespace of the Kubernetes secret that stores our service token
      secretsScope:
        envSlug: <env-slug> # "dev", "staging", "prod", etc..
        secretsPath: <secrets-path> # Root is "/"
  ...

Operator Managed Secrets

The managed secret properties specify where to store the secrets retrieved from your Infisical project. This includes defining the name and namespace of the Kubernetes secret that will hold these secrets. The Infisical operator will automatically create the Kubernetes secret in the specified name/namespace and ensure it stays up-to-date.

The managedSecretReference field is deprecated and will be removed in a future release. Replace it with managedKubeSecretReferences, which now accepts an array of references to support multiple managed secrets in a single InfisicalSecret CRD.Example:

managedKubeSecretReferences:
  - secretName: managed-secret
    secretNamespace: default
    creationPolicy: "Orphan"

managedKubeSecretReferences

managedKubeSecretReferences[].secretName

managedKubeSecretReferences[].secretNamespace

managedKubeSecretReferences[].secretType

managedKubeSecretReferences[].creationPolicy

Managed Secret Templating

Fetching secrets from Infisical as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Secrets.

managedKubeSecretReferences[].template

managedKubeSecretReferences[].template.includeAllSecrets

managedKubeSecretReferences[].template.data

Define secret keys and their corresponding templates. Each data value uses a Golang template with access to all secrets retrieved from the specified scope.Secrets are structured as follows:

type TemplateSecret struct {
    Value      string `json:"value"`
    SecretPath string `json:"secretPath"`
}

Example template configuration:

managedKubeSecretReferences:
  - secretName: managed-secret
    secretNamespace: default
    template:
      includeAllSecrets: true
      data:
        # Create new secret key that doesn't exist in your Infisical project using values of other secrets
        NEW_KEY: "{{ .DB_PASSWORD.Value }}"
        # Override an existing secret key in Infisical project with a new value using values of other secrets
        API_URL: "https://api.{{.COMPANY_NAME.Value}}.{{.REGION.Value}}.com"

For this example, let’s assume the following secrets exist in your Infisical project:

DB_PASSWORD = "secret123"
COMPANY_NAME = "acme"
REGION = "us-east-1"
API_URL = "old-url"  # This will be overridden

The resulting managed Kubernetes secret will then contain:

# Original secrets (from includeAllSecrets: true)
DB_PASSWORD = "secret123"
COMPANY_NAME = "acme"
REGION = "us-east-1"

# New and overridden templated secrets
NEW_KEY = "secret123"                       # New secret created from template
API_URL = "https://api.acme.us-east-1.com" # Existing secret overridden by template

To help transform your secrets further, the operator provides a set of built-in functions that you can use in your templates.

Available templating functions

Please refer to the templating functions documentation for more information.

Operator Managed ConfigMaps

The managed config map properties specify where to store the secrets retrieved from your Infisical project. Config maps can be used to store non-sensitive data, such as application configuration variables. The properties includes defining the name and namespace of the Kubernetes config map that will hold the data retrieved from your Infisical project. The Infisical operator will automatically create the Kubernetes config map in the specified name/namespace and ensure it stays up-to-date. If a config map already exists in the specified namespace, the operator will update the existing config map with the new data.

The usage of config maps is only intended for storing non-sensitive data. If you are looking to store sensitive data, please use the managed secret property instead.

managedKubeConfigMapReferences

managedKubeConfigMapReferences[].configMapName

managedKubeConfigMapReferences[].configMapNamespace

managedKubeConfigMapReferences[].creationPolicy

Managed ConfigMap Templating

managedKubeConfigMapReferences[].template

managedKubeConfigMapReferences[].template.includeAllSecrets

managedKubeConfigMapReferences[].template.data

Define secret keys and their corresponding templates. Each data value uses a Golang template with access to all secrets retrieved from the specified scope.Secrets are structured as follows:

type TemplateSecret struct {
    Value      string `json:"value"`
    SecretPath string `json:"secretPath"`
}

Example template configuration:

managedKubeConfigMapReferences:
  - configMapName: managed-configmap
    configMapNamespace: default
    template:
      includeAllSecrets: true
      data:
        # Create new key that doesn't exist in your Infisical project using values of other secrets
        SITE_URL: "{{ .SITE_URL.Value }}"
        # Override an existing key in Infisical project with a new value using values of other secrets
        API_URL: "https://api.{{.SITE_URL.Value}}.{{.REGION.Value}}.com"

For this example, let’s assume the following secrets exist in your Infisical project:

SITE_URL = "https://example.com"
REGION = "us-east-1"
API_URL = "old-url"  # This will be overridden

The resulting managed Kubernetes config map will then contain:

# Original config map data (from includeAllSecrets: true)
SITE_URL = "https://example.com"
REGION = "us-east-1"

# New and overridden config map data
SITE_URL = "https://example.com"
API_URL = "https://api.example.com.us-east-1.com" # Existing secret overridden by template

To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.

Available templating functions

Please refer to the templating functions documentation for more information.

Applying CRD

Once you have configured the InfisicalSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that the managed secret has been created in the desired namespace your specified.

kubectl apply -f example-infisical-secret-crd.yaml

To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.

# Verify managed secret is created
kubectl get secrets -n <namespace of managed secret>

The Infisical secrets will be synced and stored into the managed secret every 1 minute unless configured otherwise.

Using Managed Secret In Your Deployment

To make use of the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here

envFrom

This will take all the secrets from your managed secret and expose them to your container

  envFrom:
    - secretRef:
        name: managed-secret # managed secret name
  ```

  Example usage in a deployment
  ```yaml
  apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        envFrom:
        - secretRef:
            name: managed-secret # <- name of managed secret
        ports:
        - containerPort: 80

env

This will allow you to select individual secrets by key name from your managed secret and expose them to your container

env:
  - name: SECRET_NAME # The environment variable's name which is made available in the container
    valueFrom:
      secretKeyRef:
        name: managed-secret # managed secret name
        key: SOME_SECRET_KEY # The name of the key which exists in the managed secret

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          env:
            - name: STRIPE_API_SECRET
              valueFrom:
                secretKeyRef:
                  name: managed-secret # <- name of managed secret
                  key: STRIPE_API_SECRET
          ports:
            - containerPort: 80

volumes

This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret

volumes:
  - name: secrets-volume-name # The name of the volume under which secrets will be stored
    secret:
      secretName: managed-secret # managed secret name

You can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secrets

volumeMounts:
  - name: secrets-volume-name
    mountPath: /etc/secrets
    readOnly: true

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          volumeMounts:
            - name: secrets-volume-name
              mountPath: /etc/secrets
              readOnly: true
          ports:
            - containerPort: 80
      volumes:
        - name: secrets-volume-name
          secret:
            secretName: managed-secret # <- managed secrets

The definition file of the Kubernetes secret for the CA certificate can be structured like the following:

apiVersion: v1
kind: Secret
metadata:
  name: custom-ca-certificate
type: Opaque
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
    ...
    BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
    -----END CERTIFICATE-----

Automatic Redeployment

Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.

Enabling Automatic Redeployment

To enable auto redeployment you simply have to add the following annotation to the Deployment, StatefulSet, or DaemonSet that consumes a managed secret.

secrets.infisical.com/auto-reload: "true"

Deployment example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
  annotations:
    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        envFrom:
        - secretRef:
            name: managed-secret
        ports:
        - containerPort: 80

DaemonSet example

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: log-agent
  labels:
    app: log-agent
  annotations:
    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
spec:
  selector:
    matchLabels:
      app: log-agent
  template:
    metadata:
      labels:
        app: log-agent
    spec:
      containers:
        - name: log-agent
          image: mycompany/log-agent:latest
          envFrom:
            - secretRef:
                name: managed-secret # <- name of the managed secret
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
              readOnly: true
      volumes:
        - name: config-volume
          secret:
            secretName: managed-secret

StatefulSet example

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: db-worker
  labels:
    app: db-worker
  annotations:
    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
spec:
  selector:
    matchLabels:
      app: db-worker
  serviceName: "db-worker"
  replicas: 2
  template:
    metadata:
      labels:
        app: db-worker
    spec:
      containers:
        - name: db-worker
          image: mycompany/db-worker:stable
          env:
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: managed-secret
                  key: DB_PASSWORD
          ports:
            - containerPort: 5432

How it works When a managed secret is updated, the operator checks for

any Deployments, DaemonSets, or StatefulSets that consume the updated secret and have the annotation secrets.infisical.com/auto-reload: "true". For each matching workload, the operator triggers a rolling restart to ensure it picks up the latest secret values.

Using Managed ConfigMap In Your Deployment

To make use of the managed ConfigMap created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes ConfigMaps here

Automatic redeployment of deployments using managed ConfigMaps is not yet supported.

envFrom

This will take all the secrets from your managed ConfigMap and expose them to your container

  envFrom:
    - configMapRef:
        name: managed-configmap # managed configmap name
  ```

  Example usage in a deployment
  ```yaml
  apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        envFrom:
        - configMapRef:
            name: managed-configmap # <- name of managed configmap
        ports:
        - containerPort: 80

env

This will allow you to select individual secrets by key name from your managed ConfigMap and expose them to your container

env:
  - name: CONFIG_NAME # The environment variable's name which is made available in the container
    valueFrom:
      configMapKeyRef:
        name: managed-configmap # managed configmap name
        key: SOME_CONFIG_KEY # The name of the key which exists in the managed configmap

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          env:
            - name: STRIPE_API_SECRET
              valueFrom:
                configMapKeyRef:
                  name: managed-configmap # <- name of managed configmap
                  key: STRIPE_API_SECRET
          ports:
            - containerPort: 80

volumes

This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret

volumes:
  - name: configmaps-volume-name # The name of the volume under which configmaps will be stored
    configMap:
      name: managed-configmap # managed configmap name

You can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secrets

volumeMounts:
  - name: configmaps-volume-name
    mountPath: /etc/config
    readOnly: true

Example usage in a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          volumeMounts:
            - name: configmaps-volume-name
              mountPath: /etc/config
              readOnly: true
          ports:
            - containerPort: 80
      volumes:
        - name: configmaps-volume-name
          configMap:
            name: managed-configmap # <- managed configmap

The definition file of the Kubernetes secret for the CA certificate can be structured like the following:

apiVersion: v1
kind: Secret
metadata:
  name: custom-ca-certificate
type: Opaque
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
    ...
    BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
    -----END CERTIFICATE-----

Propagating Labels & Annotations

The operator will transfer all labels & annotations present on the InfisicalSecret CRD to the managed Kubernetes secret to be created. Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:

Example propagation

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample
  labels:
    label-to-be-passed-to-managed-secret: sample-value
  annotations:
    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
  ..
  authentication:
    ...
  managedKubeSecretReferences:
    ...

This would result in the following managed secret to be created:

apiVersion: v1
data: ...
kind: Secret
metadata:
  annotations:
    example.com/annotation-to-be-passed-to-managed-secret: sample-value
    secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
  labels:
    label-to-be-passed-to-managed-secret: sample-value
  name: managed-token
  namespace: default
type: Opaque

Secrets Management

Product Reference

Infrastructure Integrations

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Others

​CRD properties

​Generic

​Authentication Methods

​Operator Managed Secrets

​Managed Secret Templating

​Operator Managed ConfigMaps

​Managed ConfigMap Templating

​Applying CRD

​Using Managed Secret In Your Deployment

​Automatic Redeployment

​Enabling Automatic Redeployment

​How it works When a managed secret is updated, the operator checks for

​Using Managed ConfigMap In Your Deployment

​Propagating Labels & Annotations

CRD properties

Generic

Authentication Methods

Operator Managed Secrets

Managed Secret Templating

Operator Managed ConfigMaps

Managed ConfigMap Templating

Applying CRD

Using Managed Secret In Your Deployment

Automatic Redeployment

Enabling Automatic Redeployment

How it works When a managed secret is updated, the operator checks for

Using Managed ConfigMap In Your Deployment

Propagating Labels & Annotations