- Sync secrets from Infisical into Kubernetes.
- Push new secrets from Kubernetes to Infisical.
- Manage dynamic secrets and automatically create time-bound leases.
- Supported Kubernetes versions
- Supported Kubernetes distributions
- 1.33
- 1.32
- 1.31
- 1.30
- 1.29
Install
The operator can be installed via Helm. Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications. Install the latest Helm repository- Cluster Wide Installation
- Namespace Scoped Installation
- Simplified Management: A single operator instance manages secrets across all namespaces
- Centralized Operations: One deployment to monitor, update, and maintain
- Cross-Namespace Flexibility: Easily manage secrets for applications spanning multiple namespaces
- Quick Setup: Works out of the box with no additional RBAC configuration required
Using your own service account
By default a service account is created for the operator based on the operator release name. You can bring your own service account by settingcontrollerManager.serviceAccount.create to false and setting controllerManager.serviceAccount.name to the name of the service account you want to use in your values.yaml file.
Example values.yaml file:
controllerManager.serviceAccount.create to false, the service account needs to already exist in the namespace you are installing the operator in.Custom Resource Definitions
- v1beta1 (Recommended)
- v1alpha1
| CRD | Description |
|---|---|
| InfisicalConnection | Defines how to connect to an Infisical instance (host, TLS). Referenced by other CRDs. |
| InfisicalAuth | Defines authentication credentials for a machine identity. Referenced by other CRDs. |
| InfisicalStaticSecret | Sync secrets from Infisical to a Kubernetes secret. Replaces InfisicalSecret. |
Metrics and Prometheus
The operator exposes Prometheus metrics on/metrics for monitoring reconciliation performance, errors, and resource utilization.
Configuration
Enable the ServiceMonitor during installation. This will create a prometheusServiceMonitor resource in the same namespace as the operator.
telemetry.serviceMonitor.enabled
telemetry.serviceMonitor.enabled
false.telemetry.serviceMonitor.selectors
telemetry.serviceMonitor.selectors
{}.telemetry.serviceMonitor.scheme
telemetry.serviceMonitor.scheme
https.telemetry.serviceMonitor.port
telemetry.serviceMonitor.port
https.telemetry.serviceMonitor.path
telemetry.serviceMonitor.path
/metrics.telemetry.serviceMonitor.interval
telemetry.serviceMonitor.interval
30s.telemetry.serviceMonitor.scrapeTimeout
telemetry.serviceMonitor.scrapeTimeout
10s.telemetry.serviceMonitor.bearerTokenFile
telemetry.serviceMonitor.bearerTokenFile
/var/run/secrets/kubernetes.io/serviceaccount/token.Available Metrics
The operator exposes standard controller-runtime metrics. For a complete list of available metrics, see the Kubebuilder metrics reference. Key metrics to monitor:controller_runtime_reconcile_total- Reconciliation countcontroller_runtime_reconcile_errors_total- Error countcontroller_runtime_reconcile_time_seconds- Reconciliation duration
InfisicalStaticSecret, InfisicalAuth, InfisicalConnection
v1alpha1 controllers: InfisicalSecret, InfisicalPushSecret, InfisicalDynamicSecret
Example Prometheus Setup
Access Prometheus
Example Queries
General Configuration
Private/self-signed certificate
To connect to Infisical instances behind a private/self-signed certificate, you can configure TLS settings to point to a CA certificate stored in a Kubernetes secret resource.- v1beta1 (Recommended)
- v1alpha1
InfisicalConnection will automatically use the configured TLS settings.Templating
Fetching secrets from Infisical as-is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Secrets or ConfigMaps. When a template is set, only the keys defined intemplate.data are included in the output.
When no template is set, all fetched secrets are included as-is.
Each secret is available in the template context as .SECRET_KEY, which is an object with two accessors:
.Value: the secret value..SecretPath: the path of the secret in Infisical.
Key/value template map
Bulk string template with a loop
Available helper functions
The Infisical Secrets Operator exposes a wide range of helper functions to make it easier to work with secrets in Kubernetes.encodeBase64
encodeBase64
hello world becomes aGVsbG8gd29ybGQ=).SignaturedecodeBase64ToBytes
decodeBase64ToBytes
aGVsbG8gd29ybGQ= becomes hello world).Signaturepkcs12key
pkcs12key
-----BEGIN PRIVATE KEY-----...).
The archive must not be password-protected — use pkcs12keyPass for password-protected archives.Signaturepkcs12keyPass
pkcs12keyPass
pkcs12key, but uses the provided password to decrypt the PKCS#12 archive.Signaturepkcs12cert
pkcs12cert
-----BEGIN CERTIFICATE-----...).
Sort order: leaf → intermediate(s) → root. If disjunct or multiple leaf certs are provided, they are returned as-is.
The archive must not be password-protected — use pkcs12certPass for password-protected archives.Signaturepkcs12certPass
pkcs12certPass
pkcs12cert, but uses the provided password to decrypt the PKCS#12 archive.SignaturepemToPkcs12
pemToPkcs12
pemToPkcs12Pass to set a password.SignaturepemToPkcs12Pass
pemToPkcs12Pass
pemToPkcs12, but encrypts the PKCS#12 archive with the provided password.SignaturefullPemToPkcs12
fullPemToPkcs12
fullPemToPkcs12Pass to set a password.SignaturefullPemToPkcs12Pass
fullPemToPkcs12Pass
fullPemToPkcs12, but encrypts the PKCS#12 archive with the provided password.SignaturefilterPEM
filterPEM
CERTIFICATE or PRIVATE KEY blocks).
Common PEM types: CERTIFICATE, PRIVATE KEY, PUBLIC KEY, RSA PRIVATE KEY.SignaturefilterCertChain
filterCertChain
leaf (end-entity certificate), intermediate (all intermediate CA certificates), root (root CA certificate).
Returns an empty string if the requested type is not present in the chain.SignaturejwkPublicKeyPem
jwkPublicKeyPem
PUBLIC KEY containing the public key.
Uses x509.MarshalPKIXPublicKey internally.SignaturejwkPrivateKeyPem
jwkPrivateKeyPem
PRIVATE KEY containing the private key.
Uses x509.MarshalPKCS8PrivateKey internally.SignaturetoYaml
toYaml
fromYaml
fromYaml
map[string]any, useful for extracting individual fields from a YAML-formatted secret (e.g. (fromYaml .DB_CONFIG.Value).host returns the host field).SignaturesecretFrom
secretFrom
v1beta1 resources (e.g. InfisicalStaticSecret)..Value or .SecretPath accessors on the result — if omitted, .Value is used.This is especially useful when multiple secrets share the same key, either from recursive fetches across different paths or from multiple sources. In both cases, the merge strategy only keeps the first occurrence (read more here), so secretFrom lets you explicitly select the one you need by its full path.sources array will be used.Sprig functions
The Infisical Secrets Operator integrates with the Sprig library to provide additional helper functions.expandEnv and env from the supported functions for security reasons.Migrating from v1alpha1 to v1beta1
InfisicalSecret only. InfisicalPushSecret and InfisicalDynamicSecret do not have v1beta1 replacements yet and should continue to be used as-is.InfisicalConnection and InfisicalAuth resources that can be shared across multiple secret resources.
Key changes
-
Secret resource:
InfisicalSecret->InfisicalStaticSecretInfisicalStaticSecretreplaces the v1alpha1InfisicalSecretCRD. Instead of defining auth and connection settings inline, it references dedicatedInfisicalAuthandInfisicalConnectionresources. -
Authentication: inline
authentication->InfisicalAuthAuthentication config is now defined in a standaloneInfisicalAuthresource that can be reused across CRDs. Authenticated credentials are cached and shared by all resources referencing the sameInfisicalAuth. -
Connection: inline
hostAPI/tls->InfisicalConnectionConnection config is now defined in a standaloneInfisicalConnectionresource that can be reused by auth and secret resources.
Migration steps
Create an InfisicalConnection resource
hostAPI and tls settings from your existing CRD into a new InfisicalConnection resource.
See the InfisicalConnection CRD documentation for the full spec.Create an InfisicalAuth resource
authentication block from your existing CRD into a new InfisicalAuth resource.
See the InfisicalAuth CRD documentation for the full spec.Replace InfisicalSecret with InfisicalStaticSecret
InfisicalStaticSecret resource that references your InfisicalConnection and InfisicalAuth resources.
See the InfisicalStaticSecret CRD documentation for the full spec.If you were using templates, note that engineVersion is now a required field and the only accepted value is v1. The includeAllSecrets option no longer exists. Instead, you can iterate over all secrets using a bulk string template with a range loop. See the Templating section for details and examples.