Kubernetes via Helm Chart

Prerequisites

• You have understanding of Kubernetes
• Installed Helm package manager version v3.11.3 or greater
• You have kubectl installed and connected to your kubernetes cluster

By deploying Infisical on Kubernetes, you can take advantage of its features to ensure that the application is fault-tolerant, highly available, and scalable. To make the installation process easier and more streamlined, we have created a Helm chart that you can use to install Infisical on Kubernetes.

Helm is a package manager for Kubernetes that simplifies the installation and management of Kubernetes applications. With our Helm chart, you can easily install Infisical on Kubernetes, configure it to your liking, and scale it up or down as needed.

​

Install Infisical Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
  
helm repo update

​

Add Helm values

Create a values.yaml file to configure various installation settings, such as the docker image tags and environment variables. To explore all configurable properties for your values file, visit this page.

​

Set image tags

By default, the application will use the latest docker image tag. This is okay for test environments; however, for production deployments it is important to pin your deployment to a particular docker image tag to prevent receiving unintended changes.

backend:
  replicaCount: 2
  image:
    tag: "v0.39.5" # <--- update to the newest version found here https://hub.docker.com/r/infisical/infisical/tags
    pullPolicy: Always

​

Configure environment variables

You can configure environment variables for your instance of Infisical though the Helm values file under the property backendEnvironmentVariables. View configurable environment variables.

Infisical requires the following backend environment variables to be defined: ENCRYPTION_KEY, JWT_SIGNUP_SECRET, JWT_REFRESH_SECRET, JWT_AUTH_SECRET, JWT_MFA_SECRET and JWT_SERVICE_SECRET.

However, when the above environment variables are not defined, the Helm chart will automatically generate these environment variables for you. The generated environment variables will be saved to a Kubernetes secret and will be preserved between upgrades or uninstalls.

...
backendEnvironmentVariables:
  HTTPS_ENABLED: true
  INVITE_ONLY_SIGNUP: false
  ...

​

Routing external traffic

By default, Infisical takes all traffic coming to your external load balancer’s IP address and routes them Infisical’s services. Infisical uses Nginx to route external traffic. You can install Nginx along with Infisical by setting ingress.enabled to true in the Helm values file. View all properties for ingress.

...
ingress:
  nginx:
    enabled: true #<-- if you would like to install nginx along with Infisical

​

Database

Infisical uses a MongoDB as its persistence layer. With this Helm chart, a MongoDB instance is automatically spun up for use with Infisical. When persistence is enabled, the data will be stored as Kubernetes Persistence Volume. View all properties for mongodb.

mongodb:
  enabled: true
  persistence:
    enabled: false

To achieve high availability and data redundancy, we recommend that you use a managed document database service such as AWS Document DB, MongoDB or similar services instead of the in cluster database. Managed database connection string can be set in the backendEnvironmentVariables.

​

Example helm values

backend:
  replicaCount: 2
  image:
    tag: "v0.39.5"
    pullPolicy: Always

backendEnvironmentVariables:
  HTTPS_ENABLED: true

ingress:
  nginx:
    enabled: true

ingress:
  nginx:
    enabled: true

backend:
  enabled: true
  name: backend
  podAnnotations: {}
  deploymentAnnotations: {}
  replicaCount: 4
  image:
    tag: "v0.39.5"
    pullPolicy: IfNotPresent
  kubeSecretRef: null
  service:
    annotations: {}
    type: ClusterIP
    nodePort: ""

# View all environment variables https://infisical.com/docs/self-hosting/configuration/envars
backendEnvironmentVariables:
  MONGO_URL: <>
  HTTPS_ENABLED: <>
  

## Mongo DB persistence 
mongodb:
  enabled: true
  persistence:
    enabled: true

​

Install the Helm chart

By default, the helm chart will be installed on your default namespace. If you wish to install the Chart on a different namespace, you may specify that by adding the --namespace <namespace-to-install-to> to your helm install command.

## Installs to default namespace
helm install infisical-helm-charts/infisical --generate-name --values /path/to/values.yaml

​

Access Infisical

Allow 3-5 minutes for the deployment to complete. Once done, you should now be able to access Infisical on the IP address exposed via Ingress on your load balancer. If you are not sure what the IP address is run kubectl get ingress to view the external IP address exposing Infisical.

​

Related blogs

• Set up Infisical in a development cluster
• Set up Infisical in AKS using ArgoCD + Helm and integrate with an application using kustomize