Kubernetes via Helm Chart

Getting Started

Platform

Authentication Methods

Self-host Infisical

Internals

Contributing

Prerequisites

You have extensive understanding of Kubernetes
Installed Helm package manager version v3.11.3 or greater
You have kubectl installed and connected to your kubernetes cluster

Install Infisical Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 

helm repo update

Add Helm values

Create a values.yaml file. This will be used to configure settings for the Infisical Helm chart. To explore all configurable properties for your values file, visit this page.

Select Infisical version

By default, the Infisical version set in your helm chart will likely be outdated. Choose the latest Infisical docker image tag from here.

values.yaml
infisical:
  image:
    repository: infisical/infisical
    tag: "v0.46.2-postgres" #<-- update
    pullPolicy: IfNotPresent

Do not use the latest docker image tag in production deployments as they can introduce unexpected changes

Configure environment variables

To deploy this Helm chart, a Kubernetes secret named infisical-secrets must be present in the same namespace where the chart is being deployed.

For a minimal installation of Infisical, you need to configure ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI, SITE_URL, and REDIS_URL. Learn more about configuration settings.

For test or proof-of-concept purposes, you may omit DB_CONNECTION_URI and REDIS_URL from infisical-secrets. This is because the Helm chart will automatically provision and connect to the in-cluster instances of Postgres and Redis by default.

simple-values-example.yaml
apiVersion: v1
kind: Secret
metadata:
  name: infisical-secrets
type: Opaque
stringData:
  AUTH_SECRET: <>
  ENCRYPTION_KEY: <>
  SITE_URL: <>

simple-values-example.yaml
apiVersion: v1
kind: Secret
metadata:
  name: infisical-secrets
type: Opaque
stringData:
  AUTH_SECRET: <>
  ENCRYPTION_KEY: <>
  SITE_URL: <>

For production environments, we recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability. In on-premise setups, it’s recommended to configure Redis and Postgres for high availability, either by using Bitnami charts or a custom configuration.

simple-values-example.yaml
apiVersion: v1
kind: Secret
metadata:
  name: infisical-secrets
type: Opaque
stringData:
  AUTH_SECRET: <>
  ENCRYPTION_KEY: <>
  REDIS_URL: <>
  DB_CONNECTION_URI: <>
  SITE_URL: <>

Routing traffic to Infisical

By default, this chart uses Nginx as its Ingress controller to direct traffic to Infisical services.

values.yaml
ingress:
  nginx:
    enabled: true 

Install the Helm chart

Once you are done configuring your values.yaml file, run the command below.

helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml

Full helm values example

values.yaml

nameOverride: "infisical"
fullnameOverride: "infisical"

infisical:
  enabled: true
  name: infisical
  autoDatabaseSchemaMigration: true
  fullnameOverride: ""
  podAnnotations: {}
  deploymentAnnotations: {}
  replicaCount: 6

  image:
    repository: infisical/infisical
    tag: "v0.46.2-postgres"
    pullPolicy: IfNotPresent

  affinity: {}
  kubeSecretRef: "infisical-secrets"
  service:
    annotations: {}
    type: ClusterIP
    nodePort: ""

  resources:
    limits:
      memory: 210Mi
    requests:
      cpu: 200m

ingress:
  enabled: true
  hostName: ""
  ingressClassName: nginx
  nginx:
    enabled: true
  annotations: {}
  tls: []

postgresql:
  enabled: true
  name: "postgresql"
  fullnameOverride: "postgresql"
  auth:
    username: infisical
    password: root
    database: infisicalDB

redis:
  enabled: true
  name: "redis"
  fullnameOverride: "redis"
  cluster:
    enabled: false
  usePassword: true
  auth:
    password: "mysecretpassword"
  architecture: standalone

Access Infisical

After deployment, please wait for 2-5 minutes for all pods to reach a running state. Once a significant number of pods are operational, access the IP address revealed through Ingress by your load balancer. You can find the IP address/hostname by executing the command kubectl get ingress.

Upgrade your instance

To upgrade your instance of Infisical simply update the docker image tag in your Helm values and rerun the command below.

helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml

Always back up your database before each upgrade, especially in a production environment.

Docker Compose Installation