Kubernetes via Helm Chart

Prerequisites

You have extensive understanding of Kubernetes
Installed Helm package manager version v3.11.3 or greater
You have kubectl installed and connected to your kubernetes cluster

Install Infisical Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 

helm repo update

Add Helm values

Create a values.yaml file. This will be used to configure settings for the Infisical Helm chart. To explore all configurable properties for your values file, visit this page.

Select Infisical version

By default, the Infisical version set in your helm chart will likely be outdated. Choose the latest Infisical docker image tag from here.

values.yaml

infisical:
  image:
    repository: infisical/infisical
    tag: "<>" #<-- select tag from Dockerhub from the above link
    pullPolicy: IfNotPresent

Do not use the latest docker image tag in production deployments as they can introduce unexpected changes

Configure environment variables

To deploy this Helm chart, a Kubernetes secret named infisical-secrets must be present in the same namespace where the chart is being deployed.For a minimal installation of Infisical, you need to configure ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI, SITE_URL, and REDIS_URL. Learn more about configuration settings.

Proof of concept deployment
Production deployment

For test or proof-of-concept purposes, you may omit DB_CONNECTION_URI and REDIS_URL from infisical-secrets. This is because the Helm chart will automatically provision and connect to the in-cluster instances of Postgres and Redis by default.

simple-values-example.yaml

apiVersion: v1
kind: Secret
metadata:
  name: infisical-secrets
type: Opaque
stringData:
  AUTH_SECRET: <>
  ENCRYPTION_KEY: <>
  SITE_URL: <>

For production environments, we recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability. In on-premise setups, it’s recommended to configure Redis and Postgres for high availability, either by using Bitnami charts or a custom configuration.

simple-values-example.yaml

apiVersion: v1
kind: Secret
metadata:
  name: infisical-secrets
type: Opaque
stringData:
  AUTH_SECRET: <>
  ENCRYPTION_KEY: <>
  REDIS_URL: <>
  DB_CONNECTION_URI: <>
  SITE_URL: <>

If you need to configure the SSL certificate for your production Postgres instance, you can use the DB_ROOT_CERT environment variable. Learn more about configuring the SSL certificate.

Routing traffic to Infisical

By default, this chart uses Nginx as its Ingress controller to direct traffic to Infisical services.

values.yaml

ingress:
  nginx:
    enabled: true 

Install the Helm chart

Once you are done configuring your values.yaml file, run the command below.

helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml

Full helm values example

values.yaml

# -- Overrides the default release name
nameOverride: ""

# -- Overrides the full name of the release, affecting resource names
fullnameOverride: ""

infisical:
  # -- Enable Infisical chart deployment
  enabled: true
  # -- Sets the name of the deployment within this chart
  name: infisical

  autoBootstrap:
    # -- Enable auto-bootstrap of the Infisical instance
    enabled: false

    image:
      # -- Infisical Infisical CLI image tag version
      tag: "0.41.86"

    # -- Template for the data/stringData section of the Kubernetes secret. Available functions: encodeBase64
    secretTemplate: '{"data":{"token":"{{.Identity.Credentials.Token}}"}}'

    secretDestination:
      # -- Name of the bootstrap secret to create in the Kubernetes cluster which will store the formatted root identity credentials
      name: "infisical-bootstrap-secret"

      # -- Namespace to create the bootstrap secret in. If not provided, the secret will be created in the same namespace as the release.
      namespace: "default"

    # -- Infisical organization to create in the Infisical instance during auto-bootstrap
    organization: "default-org"

    credentialSecret:
      # -- Name of the Kubernetes secret containing the credentials for the auto-bootstrap workflow
      name: "infisical-bootstrap-credentials"

  databaseSchemaMigrationJob:
    image:
      # -- Image repository for migration wait job
      repository: ghcr.io/groundnuty/k8s-wait-for
      # -- Image tag version
      tag: no-root-v2.0
      # -- Pulls image only if not present on the node
      pullPolicy: IfNotPresent

  serviceAccount:
    # -- Creates a new service account if true, with necessary permissions for this chart. If false and `serviceAccount.name` is not defined, the chart will attempt to use the Default service account
    create: true
    # -- Custom annotations for the auto-created service account
    annotations: {}
    # -- Optional custom service account name, if existing service account is used
    name: null

  # -- Override for the full name of Infisical resources in this deployment
  fullnameOverride: ""
  # -- Custom annotations for Infisical pods
  podAnnotations: {}
  # -- Custom annotations for Infisical deployment
  deploymentAnnotations: {}
  # -- Number of pod replicas for high availability
  replicaCount: 2

  image:
    # -- Image repository for the Infisical service
    repository: infisical/infisical
    # -- Specific version tag of the Infisical image. View the latest version here https://hub.docker.com/r/infisical/infisical
    tag: "v0.151.0"
    # -- Pulls image only if not already present on the node
    pullPolicy: IfNotPresent
    # -- Secret references for pulling the image, if needed
    imagePullSecrets: []

  # -- Node affinity settings for pod placement
  affinity: {}
  # -- Tolerations definitions
  tolerations: []
  # -- Node selector for pod placement
  nodeSelector: {}
  # -- Topology spread constraints for multi-zone deployments
  # -- Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
  topologySpreadConstraints: []

  # -- Kubernetes Secret reference containing Infisical root credentials
  kubeSecretRef: "infisical-secrets"

  service:
    # -- Custom annotations for Infisical service
    annotations: {}
    # -- Service type, can be changed based on exposure needs (e.g., LoadBalancer)
    type: ClusterIP
    # -- Optional node port for service when using NodePort type
    nodePort: ""

  resources:
    limits:
      # -- Memory limit for Infisical container
      memory: 1000Mi
    requests:
      # -- CPU request for Infisical container
      cpu: 350m

ingress:
  # -- Enable or disable ingress configuration
  enabled: true
  # -- Hostname for ingress access, e.g., app.example.com
  hostName: ""
  # -- Specifies the ingress class, useful for multi-ingress setups
  ingressClassName: nginx

  nginx:
    # -- Enable NGINX-specific settings, if using NGINX ingress controller
    enabled: true

  # -- Custom annotations for ingress resource
  annotations: {}
  # -- TLS settings for HTTPS access
  tls: []
    # -- TLS secret name for HTTPS
    # - secretName: letsencrypt-prod
    # -- Domain name to associate with the TLS certificate
    #   hosts:
    #     - some.domain.com

postgresql:
  # -- Enables an in-cluster PostgreSQL deployment. To achieve HA for Postgres, we recommend deploying https://github.com/zalando/postgres-operator instead.
  enabled: true
  # -- PostgreSQL resource name
  name: "postgresql"
  # -- Full name override for PostgreSQL resources
  fullnameOverride: "postgresql"

  image:
    # -- Image registry for PostgreSQL
    registry: mirror.gcr.io
    # -- Image repository for PostgreSQL
    repository: bitnamilegacy/postgresql

  auth:
    # -- Database username for PostgreSQL
    username: infisical
    # -- Password for PostgreSQL database access
    password: root
    # -- Database name for Infisical
    database: infisicalDB

  useExistingPostgresSecret:
    # -- Set to true if using an existing Kubernetes secret that contains PostgreSQL connection string
    enabled: false
    existingConnectionStringSecret:
      # -- Kubernetes secret name containing the PostgreSQL connection string
      name: ""
      # -- Key name in the Kubernetes secret that holds the connection string
      key: ""

redis:
  # -- Enables an in-cluster Redis deployment
  enabled: true
  # -- Redis resource name
  name: "redis"
  # -- Full name override for Redis resources
  fullnameOverride: "redis"

  image:
    # -- Image registry for Redis
    registry: mirror.gcr.io
    # -- Image repository for Redis
    repository: bitnamilegacy/redis

  cluster:
    # -- Clustered Redis deployment
    enabled: false

  # -- Requires a password for Redis authentication
  usePassword: true

  auth:
    # -- Redis password
    password: "mysecretpassword"

  # -- Redis deployment type (e.g., standalone or cluster)
  architecture: standalone

Access Infisical

After deployment, please wait for 2-5 minutes for all pods to reach a running state. Once a significant number of pods are operational, access the IP address revealed through Ingress by your load balancer. You can find the IP address/hostname by executing the command kubectl get ingress. infisical-selfhost

Upgrade your instance

To upgrade your instance of Infisical simply update the docker image tag in your Helm values and rerun the command below.

helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml

Always back up your database before each upgrade, especially in a production environment.

Getting Started

Platform Reference

Connectivity

Authentication Methods

Self-host Infisical

Internals

Contributing

Kubernetes via Helm Chart