Infisical
Sync secrets from Infisical to your Kubernetes cluster using External Secrets Operator.
Authentication
In order for the operator to fetch secrets from Infisical, it needs to first authenticate with Infisical.
To authenticate, you can use Universal Auth from Machine identities.
Follow the guide here to learn how to create and obtain a pair of Client Secret and Client ID.
Storing Your Machine Identity Secrets
Once you have generated a pair of Client ID
and Client Secret
, you will need to store these credentials in your cluster as a Kubernetes secret.
Note
Remember to replace with your own Machine Identity credentials.
apiVersion: v1
kind: Secret
metadata:
name: universal-auth-credentials
type: Opaque
stringData:
clientId: <machine identity client id>
clientSecret: <machine identity client secret>
Secret Store
You will then need to create a generic SecretStore
. An sample SecretStore
has been is shown below.
Tip
To get your project slug from Infisical, head over to the project settings and click the button Copy Project Slug
.
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
name: infisical
spec:
provider:
infisical:
# Optional (default: https://app.infisical.com).
#
# Override this if you are using a different Infisical instance.
hostAPI: https://app.infisical.com
auth:
universalAuthCredentials:
clientId:
key: clientId
namespace: default
name: universal-auth-credentials
clientSecret:
key: clientSecret
namespace: default
name: universal-auth-credentials
secretsScope:
projectSlug: first-project-fujo
# "dev", "staging", "prod", etc.
environmentSlug: dev
# Optional (default: `/`).
#
# Secrets will only be retrieved from this path for `data` and `dataFrom` rules. When a
# `data` `remoteRef` uses a path (e.g. `/foo/bar`), that reference will use an absolute
# reference and disregard this default.
#
# If you need to prevent access to secrets outside of this path, rely on instead setting
# Access Controls in Infisical.
secretsPath: /
# Optional (default: false).
#
# When recursive is enabled, secrets retrieved using `dataFrom` patterns will fetch all secrets recursive.
recursive: false
# optional
expandSecretReferences: false # Default is true
Note
For ClusterSecretStore
, be sure to set namespace
in universalAuthCredentials.clientId
and universalAuthCredentials.clientSecret
.
Fetching secrets
For the following examples, it assumes we have a secret structure in an Infisical project with the following structure:
/API_KEY
/DB_PASSWORD
/JSON_BLOB
/my-app
/SERVICE_PASSWORD
/ADMIN_PASSWORD
Where JSON_BLOB
is a JSON string like {"key": "value"}
.
Fetch Individual Secret(s)
To sync one or more secrets individually, use the following YAML:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: infisical-managed-secrets
spec:
secretStoreRef:
kind: SecretStore
name: infisical
target:
name: auth-api
data:
# When referencing a secret within the `secretsPath`, the `key` can just be a secret
# name.
- secretKey: API_KEY
remoteRef:
key: API_KEY
# Properties can be extracted from secrets that are JSON strings.
- secretKey: JSON_KEY
remoteRef:
key: JSON_BLOB
property: key
# When referencing secrets in paths (other than `secretsPath`), the `key` must be an
# absolute path to the secret.
- secretKey: PASSWORD
remoteRef:
key: /my-app/SERVICE_PASSWORD
Fetch All Secrets
To sync all secrets from an Infisical , use the following YAML:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: infisical-managed-secrets
spec:
secretStoreRef:
kind: SecretStore
name: infisical
target:
name: auth-api
# dataFrom will fetch all secrets that are inside the `secretsPath`. When `recursive` is
# enabled, it will also fetch all secrets recursively in sub-directories.
dataFrom:
- find:
name:
regexp: .*
Filtering secrets
To filter secrets by path
(path prefix) and name
(regular expression).
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: infisical-managed-secrets
spec:
secretStoreRef:
kind: SecretStore
name: infisical
target:
name: auth-api
dataFrom:
- find:
path: DB_