Once you have installed the operator to your cluster, you’ll need to create a InfisicalSecret custom resource definition (CRD). In this CRD, you’ll define the authentication method to use, the secrets to fetch, and the target location to store the secrets within your cluster.

example-infisical-secret-crd.yaml
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisicalsecret-sample
  labels:
    label-to-be-passed-to-managed-secret: sample-value
  annotations:
    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
spec:
  hostAPI: https://app.infisical.com/api
  resyncInterval: 10
  authentication:
    kubernetesAuth:
      identityId: <machine-identity-id>
      serviceAccountRef:
        name: <service-account-name>
        namespace: <service-account-namespace>

  managedKubeSecretReferences:
    - secretName: managed-secret
      secretNamespace: default
      creationPolicy: "Orphan"
      template:
        includeAllSecrets: true
        data:
          NEW_KEY_NAME: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"
          KEY_WITH_BINARY_VALUE: "{{ .KEY.SecretPath }} {{ .KEY.Value }}"

CRD properties

Generic

The following properties help define what instance of Infisical the operator will interact with, the interval it will sync secrets and any CA certificates that may be required to connect.

Authentication methods

To retrieve the requested secrets, the operator must first authenticate with Infisical. The list of available authentication methods are shown below.

Operator managed secrets

The managed secret properties specify where to store the secrets retrieved from your Infisical project. This includes defining the name and namespace of the Kubernetes secret that will hold these secrets. The Infisical operator will automatically create the Kubernetes secret in the specified name/namespace and ensure it stays up-to-date.

The managedSecretReference field is deprecated and will be removed in a future release. Replace it with managedKubeSecretReferences, which now accepts an array of references to support multiple managed secrets in a single InfisicalSecret CRD.

Example:

  managedKubeSecretReferences:
    - secretName: managed-secret
      secretNamespace: default
      creationPolicy: "Orphan"

Manged secret templating

Fetching secrets from Infisical as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Secrets.

Applying CRD

Once you have configured the InfisicalSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that the managed secret has been created in the desired namespace your specified.

kubectl apply -f example-infisical-secret-crd.yaml

To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.

# Verify managed secret is created
kubectl get secrets -n <namespace of managed secret>

The Infisical secrets will be synced and stored into the managed secret every 1 minutes.

Using managed secret in your deployment

To make use of the managed secret created by the operator into your deployment can be achieved through several methods. Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets here

The definition file of the Kubernetes secret for the CA certificate can be structured like the following:

apiVersion: v1
kind: Secret
metadata:
  name: custom-ca-certificate
type: Opaque
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
    ...
    BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
    -----END CERTIFICATE-----

Auto redeployment

Deployments using managed secrets don’t reload automatically on updates, so they may use outdated secrets unless manually redeployed. To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.

Enabling auto redeploy

To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret

secrets.infisical.com/auto-reload: "true"

How it works

When a secret change occurs, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update. Then, for each deployment that has this annotation present, a rolling update will be triggered.

Propagating labels & annotations

The operator will transfer all labels & annotations present on the InfisicalSecret CRD to the managed Kubernetes secret to be created. Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example: