Learn how to use the InfisicalSecret CRD to fetch secrets from Infisical and store them as native Kubernetes secret resource
InfisicalSecret
custom resource definition (CRD).
In this CRD, you’ll define the authentication method to use, the secrets to fetch, and the target location to store the secrets within your cluster.
hostAPI
hostAPI
to
https://your-self-hosted-instace.com/api
When hostAPI
is not defined the operator fetches secrets from Infisical Cloud.Advanced use case
<backend-svc-name>
and <namespace>
with the appropriate values for your backend service and namespace.resyncInterval
tls
tls.caRef
tls.caRef.secretName
tls.caRef.secretNamespace
tls.caRef.key
authentication
authentication.universalAuth
Create a machine identity
Create Kubernetes secret containing machine identity credentials
<your-identity-client-id>
with the identity client ID and <your-identity-client-secret>
with the identity client secret.Add reference for the Kubernetes secret containing the identity credentials
secretName
and secretNamespace
of the secret that was just created under authentication.universalAuth.credentialsRef
field in the InfisicalSecret resource.secretsScope
field with the project slug
projectSlug
, environment slug envSlug
, and secrets path
secretsPath
that you want to fetch secrets from. Please see the example
below.authentication.kubernetesAuth
Obtaining the token reviewer JWT for Infisical
system:auth-delegator
cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Infisical to access the TokenReview API. You can apply the following configuration file:Secret
resource:Creating an identity
Adding an identity to a project
Create a new Kubernetes service account to authenticate with Infisical
Add your identity ID & service account to your InfisicalSecret resource
authentication.kubernetesAuth.identityId
field, add the identity ID of the machine identity you created.
See the example below for more details.Add your Kubernetes service account token to the InfisicalSecret resource
authentication.kubernetesAuth.serviceAccountRef
.
Here you will need to enter the name and namespace of the service account.
The example below shows a complete InfisicalSecret resource with all required fields defined.
Make sure you set authentication.kubernetesAuth.autoCreateServiceAccountToken
to true
to automatically create short-lived service account tokens for the service account.secretsScope
field with the project slug
projectSlug
, environment slug envSlug
, and secrets path
secretsPath
that you want to fetch secrets from. Please see the example
below.authentication.awsIamAuth
Create a machine identity
Add your identity ID to your InfisicalSecret resource
authentication.awsIamAuth.identityId
field, add the identity ID of the machine identity you created. See the example below for more details.secretsScope
field with the project slug
projectSlug
, environment slug envSlug
, and secrets path
secretsPath
that you want to fetch secrets from. Please see the example
below.authentication.azureAuth
Create a machine identity
Add your identity ID to your InfisicalSecret resource
authentication.azureAuth.identityId
field, add the identity ID of the machine identity you created. See the example below for more details.secretsScope
field with the project slug
projectSlug
, environment slug envSlug
, and secrets path
secretsPath
that you want to fetch secrets from. Please see the example
below.authentication.gcpIdTokenAuth
Create a machine identity
Add your identity ID to your InfisicalSecret resource
authentication.gcpIdTokenAuth.identityId
field, add the identity ID of the machine identity you created. See the example below for more details.secretsScope
field with the project slug
projectSlug
, environment slug envSlug
, and secrets path
secretsPath
that you want to fetch secrets from. Please see the example
below.authentication.gcpIamAuth
Create a machine identity
Add your identity ID and service account token path to your InfisicalSecret resource
authentication.gcpIamAuth.identityId
field, add the identity ID of the machine identity you created.
You’ll also need to add the service account key file path to your InfisicalSecret resource. In the authentication.gcpIamAuth.serviceAccountKeyFilePath
field, add the path to your service account key file path. Please see the example below for more details.secretsScope
field with the project slug
projectSlug
, environment slug envSlug
, and secrets path
secretsPath
that you want to fetch secrets from. Please see the example
below.authentication.serviceToken
<your-service-token-here>
with your service token.authentication.serviceToken.serviceTokenSecretReference
field in the InfisicalSecret resource.secretsScope
field with the, environment slug
envSlug
, and secrets path secretsPath
that you want to fetch secrets
from. Please see the example below.managedSecretReference
field is deprecated and will be removed in a future release.
Replace it with managedKubeSecretReferences
, which now accepts an array of references to support multiple managed secrets in a single InfisicalSecret CRD.Example:managedKubeSecretReferences
managedKubeSecretReferences[].secretName
managedKubeSecretReferences[].secretNamespace
managedKubeSecretReferences[].secretType
managedKubeSecretReferences[].creationPolicy
Orphan
(default)Owner
Owner
, the InfisicalSecret
CRD must be in
the same namespace as where the managed kubernetes secret.managedKubeSecretReferences[].template
managedKubeSecretReferences[].template.includeAllSecrets
true
, all secrets fetched from your Infisical project will be added into your managed Kubernetes secret resource.
Use this option when you would like to sync all secrets from Infisical to Kubernetes but want to template a subset of them.When set to false
, only secrets defined in the managedKubeSecretReferences[].template.data
field of the template will be included in the managed secret.
Use this option when you would like to sync only a subset of secrets from Infisical to Kubernetes.managedKubeSecretReferences[].template.data
managedKubeConfigMapReferences
managedKubeConfigMapReferences[].configMapName
managedKubeConfigMapReferences[].configMapNamespace
managedKubeConfigMapReferences[].creationPolicy
Orphan
(default)Owner
Owner
, the InfisicalSecret
CRD must be in
the same namespace as where the managed kubernetes config map.managedKubeConfigMapReferences[].template
managedKubeConfigMapReferences[].template.includeAllSecrets
true
, all secrets fetched from your Infisical project will be added into your managed Kubernetes config map resource.
Use this option when you would like to sync all secrets from Infisical to Kubernetes but want to template a subset of them.When set to false
, only secrets defined in the managedKubeConfigMapReferences[].template.data
field of the template will be included in the managed config map.
Use this option when you would like to sync only a subset of secrets from Infisical to Kubernetes.managedKubeConfigMapReferences[].template.data
envFrom
env
volumes
Deployment example
DaemonSet example
StatefulSet example
secrets.infisical.com/auto-reload: "true"
. For each matching workload, the operator triggers a rolling restart to ensure it picks up the latest secret values.envFrom
env
volumes
InfisicalSecret
CRD to the managed Kubernetes secret to be created.
Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
Example propagation