Kubernetes Operator
Using the InfisicalSecret CRD
Learn how to use the InfisicalSecret CRD to fetch secrets from Infisical and store them as native Kubernetes secret resource
Once you have installed the operator to your cluster, you’ll need to create a
To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.
The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
This would result in the following managed secret to be created:
InfisicalSecret custom resource definition (CRD).
In this CRD, you’ll define the authentication method to use, the secrets to fetch, and the target location to store the secrets within your cluster.
example-infisical-secret-crd.yaml
CRD properties
Generic
The following properties help define what instance of Infisical the operator will interact with, the interval it will sync secrets and any CA certificates that may be required to connect.hostAPI
hostAPI
If you are fetching secrets from a self-hosted instance of Infisical set the value of
hostAPI to
https://your-self-hosted-instace.com/apiWhen hostAPI is not defined the operator fetches secrets from Infisical Cloud.Advanced use case
Advanced use case
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet.
To achieve this, use the following address for the hostAPI field:Make sure to replace
<backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.resyncInterval
resyncInterval
This property defines the time in seconds between each secret re-sync from
Infisical. Shorter time between re-syncs will require higher rate limits only
available on paid plans. Default re-sync interval is every 1 minute.
tls
tls
This block defines the TLS settings to use for connecting to the Infisical
instance.
tls.caRef
tls.caRef
This block defines the reference to the CA certificate to use for connecting
to the Infisical instance with SSL/TLS.
tls.caRef.secretName
tls.caRef.secretName
The name of the Kubernetes secret containing the CA certificate to use for
connecting to the Infisical instance with SSL/TLS.
tls.caRef.secretNamespace
tls.caRef.secretNamespace
The namespace of the Kubernetes secret containing the CA certificate to use
for connecting to the Infisical instance with SSL/TLS.
tls.caRef.key
tls.caRef.key
The name of the key in the Kubernetes secret which contains the value of the
CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Authentication Methods
To retrieve the requested secrets, the operator must first authenticate with Infisical. The list of available authentication methods are shown below.authentication
authentication
authentication.universalAuth
authentication.universalAuth
The universal machine identity authentication method is used to authenticate with Infisical. The client ID and client secret needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.
1
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.
2
Create Kubernetes secret containing machine identity credentials
Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials.
To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.Make sure you replace
<your-identity-client-id> with the identity client ID and <your-identity-client-secret> with the identity client secret.3
Add reference for the Kubernetes secret containing the identity credentials
Once the secret is created, add the
secretName and secretNamespace of the secret that was just created under authentication.universalAuth.credentialsRef field in the InfisicalSecret resource.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
authentication.kubernetesAuth
authentication.kubernetesAuth
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
Short-lived service account tokens are automatically created by the operator and are valid only for a short period of time. This is the recommended approach for using Kubernetes auth in the Infisical Secrets Operator.
1
Obtaining the token reviewer JWT for Infisical
1.1. Start by creating a reviewer service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.1.2. Bind the reviewer service account to the 1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new 1.4. Link the secret in step 1.3 to the service account in step 1.1:1.5. Finally, retrieve the token reviewer JWT token from the secret.Keep this JWT token handy as you will need it for the Token Reviewer JWT field when configuring the Kubernetes Auth authentication method for the identity in step 2.
infisical-reviewer-service-account.yaml
system:auth-delegator cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Infisical to access the TokenReview API. You can apply the following configuration file:infisical-reviewer-cluster-role-binding.yaml
Secret resource:service-account-reviewer-token.yaml
2
Creating an identity
To create an identity, head to your Organization Settings > Access Control > Identities and press Create identity.
When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
Now input a few details for your new identity. Here’s some guidance for each field:
When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.Now input a few details for your new identity. Here’s some guidance for each field:- Name (required): A friendly name for the identity.
- Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
To learn more about each field of the Kubernetes native authentication method, see step 2 of guide.
3
Adding an identity to a project
To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press Add identity.Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
4
Create a new Kubernetes service account to authenticate with Infisical
You have already created the reviewer service account in step 1.1. Now, create a new Kubernetes service account that will be used to authenticate with Infisical.
This service account will create short-lived tokens that will be used to authenticate with Infisical. The operator itself will handle the creation of these tokens automatically.
infisical-service-account.yaml
5
Add your identity ID & service account to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource.
In the
authentication.kubernetesAuth.identityId field, add the identity ID of the machine identity you created.
See the example below for more details.6
Add your Kubernetes service account token to the InfisicalSecret resource
Add the service account details from the previous steps under
authentication.kubernetesAuth.serviceAccountRef.
Here you will need to enter the name and namespace of the service account.
The example below shows a complete InfisicalSecret resource with all required fields defined.
Make sure you set authentication.kubernetesAuth.autoCreateServiceAccountToken to true to automatically create short-lived service account tokens for the service account.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
example-kubernetes-auth.yaml
authentication.awsIamAuth
authentication.awsIamAuth
The AWS IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an AWS environment like an EC2 or a Lambda function.
1
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about AWS machine identities here.
2
Add your identity ID to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the
authentication.awsIamAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
example-aws-iam-auth.yaml
authentication.azureAuth
authentication.azureAuth
The Azure machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an Azure environment.
1
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about Azure machine identities here.
2
Add your identity ID to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the
authentication.azureAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
example-azure-auth.yaml
authentication.gcpIdTokenAuth
authentication.gcpIdTokenAuth
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
1
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.
2
Add your identity ID to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the
authentication.gcpIdTokenAuth.identityId field, add the identity ID of the machine identity you created. See the example below for more details.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
example-gcp-id-token-auth.yaml
authentication.gcpIamAuth
authentication.gcpIamAuth
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
1
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about GCP machine identities here.
2
Add your identity ID and service account token path to your InfisicalSecret resource
Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the
authentication.gcpIamAuth.identityId field, add the identity ID of the machine identity you created.
You’ll also need to add the service account key file path to your InfisicalSecret resource. In the authentication.gcpIamAuth.serviceAccountKeyFilePath field, add the path to your service account key file path. Please see the example below for more details.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
example-gcp-id-token-auth.yaml
authentication.ldapAuth
authentication.ldapAuth
The LDAP machine identity authentication method is used to authenticate with Infisical using the configured LDAP directory. The username and password needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores these credentials.
1
Create a machine identity
You need to create a machine identity, and give it access to the project(s) you want to interact with. You can read more about machine identities here.
2
Create Kubernetes secret containing machine identity credentials
Once you have created your machine identity and added it to your project(s), you will need to create a Kubernetes secret containing the identity credentials.
To quickly create a Kubernetes secret containing the identity credentials, you can run the command below.Make sure you replace
<your-identity-ldap-username> with the identity LDAP username and <your-identity-ldap-password> with the identity LDAP password.3
Add reference for the Kubernetes secret containing the identity credentials
Once the secret is created, add the
secretName and secretNamespace of the secret that was just created under authentication.ldapAuth.credentialsRef field in the InfisicalSecret resource.Make sure to also populate the
secretsScope field with the project slug
projectSlug, environment slug envSlug, and secrets path
secretsPath that you want to fetch secrets from. Please see the example
below.Example
authentication.serviceToken
authentication.serviceToken
The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token.
Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
1. Generate service token
You can generate a service token for an Infisical project by heading over to the Infisical dashboard then to Project Settings.2. Create Kubernetes secret containing service token
Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated. To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace<your-service-token-here> with your service token.3. Add reference for the Kubernetes secret containing service token
Once the secret is created, add the name and namespace of the secret that was just created underauthentication.serviceToken.serviceTokenSecretReference field in the InfisicalSecret resource.Make sure to also populate the
secretsScope field with the, environment slug
envSlug, and secrets path secretsPath that you want to fetch secrets
from. Please see the example below.Example
Operator Managed Secrets
The managed secret properties specify where to store the secrets retrieved from your Infisical project. This includes defining the name and namespace of the Kubernetes secret that will hold these secrets. The Infisical operator will automatically create the Kubernetes secret in the specified name/namespace and ensure it stays up-to-date.The
managedSecretReference field is deprecated and will be removed in a future release.
Replace it with managedKubeSecretReferences, which now accepts an array of references to support multiple managed secrets in a single InfisicalSecret CRD.Example:managedKubeSecretReferences
managedKubeSecretReferences
managedKubeSecretReferences[].secretName
managedKubeSecretReferences[].secretName
The name of the managed Kubernetes secret to be created
managedKubeSecretReferences[].secretNamespace
managedKubeSecretReferences[].secretNamespace
The namespace of the managed Kubernetes secret to be created.
managedKubeSecretReferences[].secretType
managedKubeSecretReferences[].secretType
Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
managedKubeSecretReferences[].creationPolicy
managedKubeSecretReferences[].creationPolicy
Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator.
This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan(default)Owner
When creation policy is set to
Owner, the InfisicalSecret CRD must be in
the same namespace as where the managed kubernetes secret.Managed Secret Templating
Fetching secrets from Infisical as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Secrets.managedKubeSecretReferences[].template
managedKubeSecretReferences[].template
managedKubeSecretReferences[].template.includeAllSecrets
managedKubeSecretReferences[].template.includeAllSecrets
This property controls what secrets are included in your managed secret when using templates.
When set to
true, all secrets fetched from your Infisical project will be added into your managed Kubernetes secret resource.
Use this option when you would like to sync all secrets from Infisical to Kubernetes but want to template a subset of them.When set to false, only secrets defined in the managedKubeSecretReferences[].template.data field of the template will be included in the managed secret.
Use this option when you would like to sync only a subset of secrets from Infisical to Kubernetes.managedKubeSecretReferences[].template.data
managedKubeSecretReferences[].template.data
Define secret keys and their corresponding templates.
Each data value uses a Golang template with access to all secrets retrieved from the specified scope.Secrets are structured as follows:For this example, let’s assume the following secrets exist in your Infisical project:The resulting managed Kubernetes secret will then contain:To help transform your secrets further, the operator provides a set of built-in functions that you can use in your templates.
Example template configuration:
Available templating functions
Please refer to the templating functions documentation for more information.Operator Managed ConfigMaps
The managed config map properties specify where to store the secrets retrieved from your Infisical project. Config maps can be used to store non-sensitive data, such as application configuration variables. The properties includes defining the name and namespace of the Kubernetes config map that will hold the data retrieved from your Infisical project. The Infisical operator will automatically create the Kubernetes config map in the specified name/namespace and ensure it stays up-to-date. If a config map already exists in the specified namespace, the operator will update the existing config map with the new data.The usage of config maps is only intended for storing non-sensitive data. If
you are looking to store sensitive data, please use the managed
secret property instead.
managedKubeConfigMapReferences
managedKubeConfigMapReferences
managedKubeConfigMapReferences[].configMapName
managedKubeConfigMapReferences[].configMapName
The name of the managed Kubernetes config map that your Infisical data will be stored in.
managedKubeConfigMapReferences[].configMapNamespace
managedKubeConfigMapReferences[].configMapNamespace
The namespace of the managed Kubernetes config map that your Infisical data will be stored in.
managedKubeConfigMapReferences[].creationPolicy
managedKubeConfigMapReferences[].creationPolicy
Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes config map that is generated by the Infisical operator.
This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan(default)Owner
When creation policy is set to
Owner, the InfisicalSecret CRD must be in
the same namespace as where the managed kubernetes config map.Managed ConfigMap Templating
Fetching secrets from Infisical as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Config Maps.managedKubeConfigMapReferences[].template
managedKubeConfigMapReferences[].template
managedKubeConfigMapReferences[].template.includeAllSecrets
managedKubeConfigMapReferences[].template.includeAllSecrets
This property controls what secrets are included in your managed config map when using templates.
When set to
true, all secrets fetched from your Infisical project will be added into your managed Kubernetes config map resource.
Use this option when you would like to sync all secrets from Infisical to Kubernetes but want to template a subset of them.When set to false, only secrets defined in the managedKubeConfigMapReferences[].template.data field of the template will be included in the managed config map.
Use this option when you would like to sync only a subset of secrets from Infisical to Kubernetes.managedKubeConfigMapReferences[].template.data
managedKubeConfigMapReferences[].template.data
Define secret keys and their corresponding templates.
Each data value uses a Golang template with access to all secrets retrieved from the specified scope.Secrets are structured as follows:For this example, let’s assume the following secrets exist in your Infisical project:The resulting managed Kubernetes config map will then contain:To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
Example template configuration:
Available templating functions
Please refer to the templating functions documentation for more information.Applying CRD
Once you have configured the InfisicalSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that the managed secret has been created in the desired namespace your specified.The Infisical secrets will be synced and stored into the managed secret every
1 minute unless configured otherwise.
Using Managed Secret In Your Deployment
To make use of the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets hereenvFrom
envFrom
This will take all the secrets from your managed secret and expose them to your container
env
env
This will allow you to select individual secrets by key name from your managed secret and expose them to your containerExample usage in a deployment
volumes
volumes
This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secretYou can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secretsExample usage in a deployment
Automatic Redeployment
Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.Enabling Automatic Redeployment
To enable auto redeployment you simply have to add the following annotation to the Deployment, StatefulSet, or DaemonSet that consumes a managed secret.Deployment example
Deployment example
DaemonSet example
DaemonSet example
StatefulSet example
StatefulSet example
How it works When a managed secret is updated, the operator checks for
any Deployments, DaemonSets, or StatefulSets that consume the updated secret and have the annotationsecrets.infisical.com/auto-reload: "true". For each
matching workload, the operator triggers a rolling restart to ensure it picks
up the latest secret values.Using Managed ConfigMap In Your Deployment
To make use of the managed ConfigMap created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes ConfigMaps hereAutomatic redeployment of deployments using managed ConfigMaps is not yet
supported.
envFrom
envFrom
This will take all the secrets from your managed ConfigMap and expose them to your container
env
env
This will allow you to select individual secrets by key name from your managed ConfigMap and expose them to your containerExample usage in a deployment
volumes
volumes
This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secretYou can then mount this volume to the container’s filesystem so that your deployment can access the files containing the managed secretsExample usage in a deployment
Propagating Labels & Annotations
The operator will transfer all labels & annotations present on theInfisicalSecret CRD to the managed Kubernetes secret to be created.
Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
Example propagation
Example propagation