Skip to main content
Learn how to deploy Infisical on Kubernetes using the official Helm chart. This method is ideal for production environments that require scalability, high availability, and integration with existing Kubernetes infrastructure.

Prerequisites

  • A running Kubernetes cluster (version 1.23+)
  • Helm package manager (version 3.11.3+)
  • kubectl installed and configured to access your cluster
  • Basic understanding of Kubernetes concepts (pods, services, secrets, ingress)
This guide assumes familiarity with Kubernetes. If you’re new to Kubernetes, consider starting with the Docker Compose guide for simpler deployments.

System Requirements

The following are minimum requirements for running Infisical on Kubernetes: Per-pod resource defaults (configurable in values.yaml): For production deployments with many users or secrets, increase these values accordingly.

Deployment Steps

1

Create a namespace

Create a dedicated namespace for Infisical to isolate resources:
All subsequent commands will use this namespace. You can also add -n infisical to each kubectl command if you prefer not to set a default context.
2

Add the Helm repository

Add the Infisical Helm charts repository and update your local cache:
3

Create the secrets

Infisical requires a Kubernetes secret named infisical-secrets containing essential configuration. Create this secret in the same namespace where you’ll deploy the chart.
For testing or proof-of-concept deployments, the Helm chart automatically provisions in-cluster PostgreSQL and Redis instances. You only need to provide the core secrets:
The in-cluster PostgreSQL and Redis are not configured for high availability. Use this only for testing purposes.
4

Create values.yaml

Create a values.yaml file to configure your deployment. Start with a minimal configuration:
values.yaml
Do not use the latest tag in production. Always pin to a specific version to avoid unexpected changes during upgrades.
The chart bundles its own ingress-nginx controller (class infisical-nginx) by default. If you already have an ingress controller, set ingress.nginx.enabled: false and ingress.ingressClassName to your controller’s class.
For all available configuration options, see the full values.yaml reference.
5

Install the Helm chart

Deploy Infisical using Helm:
This command installs Infisical if it doesn’t exist, or upgrades it if it does.
6

Verify the deployment

Check that all pods are running:
You should see output similar to:
Verify the ingress is configured:
Test the health endpoint (port-forward if ingress isn’t ready):
The first user to sign up becomes the instance administrator. Complete this step before exposing Infisical to others.
Your Infisical instance should now be running on Kubernetes. Access it via the ingress hostname you configured, or use kubectl port-forward for local testing. self-hosted sign up

Default Helm Values

Production Hardening

The PostgreSQL PVC contains all your encrypted secrets. Never delete this PVC unless you intend to lose all data. Always back up before any maintenance operations.

Additional Configuration

Infisical uses email for user invitations, password resets, and notifications. Add SMTP configuration to your secrets:
Common SMTP providers:After updating secrets, restart the Infisical pods:
To configure a custom domain with HTTPS:1. Using cert-manager (recommended):First, install cert-manager if not already installed:
Create a ClusterIssuer for Let’s Encrypt:
cluster-issuer.yaml
Update your values.yaml:
values.yaml
2. Using existing TLS certificate:Create a TLS secret with your certificate:
Update your values.yaml:
values.yaml
Apply the changes:
For enhanced security, implement network policies to restrict traffic between pods:
network-policy.yaml
Network policies require a CNI plugin that supports them (e.g., Calico, Cilium, Weave Net). Verify your cluster supports network policies before applying.
For production, use external managed services instead of in-cluster databases.Disable in-cluster databases in values.yaml:
values.yaml
Add connection strings to your secrets:
Recommended managed services:
Infisical exposes Prometheus metrics when enabled.1. Add telemetry configuration to your secrets:Include these in your infisical-secrets:
2. Create a ServiceMonitor (if using Prometheus Operator):
servicemonitor.yaml
See the Monitoring Guide for full setup instructions.
For production high availability:1. Multiple Infisical replicas:
values.yaml
2. Pod Disruption Budget:
pdb.yaml
3. External HA database:Use managed PostgreSQL with multi-AZ deployment (e.g., AWS RDS Multi-AZ, GCP Cloud SQL HA).4. External HA Redis:Use managed Redis with replication (e.g., AWS ElastiCache with cluster mode, GCP Memorystore).