Prerequisites
- A running Kubernetes cluster (version 1.23+)
- Helm package manager (version 3.11.3+)
- kubectl installed and configured to access your cluster
- Basic understanding of Kubernetes concepts (pods, services, secrets, ingress)
System Requirements
The following are minimum requirements for running Infisical on Kubernetes:
Per-pod resource defaults (configurable in values.yaml):
For production deployments with many users or secrets, increase these values accordingly.
Deployment Steps
1
Create a namespace
Create a dedicated namespace for Infisical to isolate resources:All subsequent commands will use this namespace. You can also add
-n infisical to each kubectl command if you prefer not to set a default context.2
Add the Helm repository
Add the Infisical Helm charts repository and update your local cache:
3
Create the secrets
Infisical requires a Kubernetes secret named
infisical-secrets containing essential configuration. Create this secret in the same namespace where you’ll deploy the chart.- Proof of concept
- Production
For testing or proof-of-concept deployments, the Helm chart automatically provisions in-cluster PostgreSQL and Redis instances. You only need to provide the core secrets:
The in-cluster PostgreSQL and Redis are not configured for high availability. Use this only for testing purposes.
4
Create values.yaml
Create a For all available configuration options, see the full values.yaml reference.
values.yaml file to configure your deployment. Start with a minimal configuration:values.yaml
The chart bundles its own ingress-nginx controller (class
infisical-nginx) by default. If you already have an ingress controller, set ingress.nginx.enabled: false and ingress.ingressClassName to your controller’s class.5
Install the Helm chart
Deploy Infisical using Helm:This command installs Infisical if it doesn’t exist, or upgrades it if it does.
6
Verify the deployment
Check that all pods are running:You should see output similar to:Verify the ingress is configured:Test the health endpoint (port-forward if ingress isn’t ready):
kubectl port-forward for local testing.
Default Helm Values
Production Hardening
Additional Configuration
SMTP/Email Configuration
SMTP/Email Configuration
Infisical uses email for user invitations, password resets, and notifications. Add SMTP configuration to your secrets:Common SMTP providers:
After updating secrets, restart the Infisical pods:
Custom Domain with TLS
Custom Domain with TLS
To configure a custom domain with HTTPS:1. Using cert-manager (recommended):First, install cert-manager if not already installed:Create a ClusterIssuer for Let’s Encrypt:Update your 2. Using existing TLS certificate:Create a TLS secret with your certificate:Update your Apply the changes:
cluster-issuer.yaml
values.yaml:values.yaml
values.yaml:values.yaml
Network Policies
Network Policies
For enhanced security, implement network policies to restrict traffic between pods:
network-policy.yaml
Network policies require a CNI plugin that supports them (e.g., Calico, Cilium, Weave Net). Verify your cluster supports network policies before applying.
External Database and Redis
External Database and Redis
For production, use external managed services instead of in-cluster databases.Disable in-cluster databases in values.yaml:Add connection strings to your secrets:Recommended managed services:
values.yaml
Prometheus Monitoring
Prometheus Monitoring
Infisical exposes Prometheus metrics when enabled.1. Add telemetry configuration to your secrets:Include these in your 2. Create a ServiceMonitor (if using Prometheus Operator):See the Monitoring Guide for full setup instructions.
infisical-secrets:servicemonitor.yaml
High Availability Configuration
High Availability Configuration
For production high availability:1. Multiple Infisical replicas:2. Pod Disruption Budget:3. External HA database:Use managed PostgreSQL with multi-AZ deployment (e.g., AWS RDS Multi-AZ, GCP Cloud SQL HA).4. External HA Redis:Use managed Redis with replication (e.g., AWS ElastiCache with cluster mode, GCP Memorystore).
values.yaml
pdb.yaml