Skip to content

Infisical

Infisical k8s Diagram

Sync secrets from Infisical to your Kubernetes cluster using External Secrets Operator.

Authentication

In order for the operator to fetch secrets from Infisical, it needs to first authenticate with Infisical.

To authenticate, you can use Universal Auth from Machine identities.

Follow the guide here to learn how to create and obtain a pair of Client Secret and Client ID.

Storing Your Machine Identity Secrets

Once you have generated a pair of Client ID and Client Secret, you will need to store these credentials in your cluster as a Kubernetes secret.

Note

Remember to replace with your own Machine Identity credentials.

apiVersion: v1
kind: Secret
metadata:
  name: universal-auth-credentials
type: Opaque

stringData:
  clientId: <machine identity client id>
  clientSecret: <machine identity client secret>

Secret Store

You will then need to create a generic SecretStore. An sample SecretStore has been is shown below.

Tip

To get your project slug from Infisical, head over to the project settings and click the button Copy Project Slug.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: infisical
spec:
  provider:
    infisical:
      # Optional (default: https://app.infisical.com).
      #
      # Override this if you are using a different Infisical instance.
      hostAPI: https://app.infisical.com
      auth:
        universalAuthCredentials:
          clientId:
            key: clientId
            namespace: default
            name: universal-auth-credentials
          clientSecret:
            key: clientSecret
            namespace: default
            name: universal-auth-credentials
      secretsScope:
        projectSlug: first-project-fujo
        # "dev", "staging", "prod", etc.
        environmentSlug: dev
        # Optional (default: `/`).
        #
        # Secrets will only be retrieved from this path for `data` and `dataFrom` rules. When a
        # `data` `remoteRef` uses a path (e.g. `/foo/bar`), that reference will use an absolute
        # reference and disregard this default.
        #
        # If you need to prevent access to secrets outside of this path, rely on instead setting
        # Access Controls in Infisical.
        secretsPath: /
        # Optional (default: false).
        #
        # When recursive is enabled, secrets retrieved using `dataFrom` patterns will fetch all secrets recursive.
        recursive: false
        # optional
        expandSecretReferences: false # Default is true

Note

For ClusterSecretStore, be sure to set namespace in universalAuthCredentials.clientId and universalAuthCredentials.clientSecret.

Fetching secrets

For the following examples, it assumes we have a secret structure in an Infisical project with the following structure:

/API_KEY
/DB_PASSWORD
/JSON_BLOB
/my-app
  /SERVICE_PASSWORD
  /ADMIN_PASSWORD

Where JSON_BLOB is a JSON string like {"key": "value"}.

Fetch Individual Secret(s)

To sync one or more secrets individually, use the following YAML:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: infisical-managed-secrets
spec:
  secretStoreRef:
    kind: SecretStore
    name: infisical

  target:
    name: auth-api

  data:
    # When referencing a secret within the `secretsPath`, the `key` can just be a secret
    # name.
    - secretKey: API_KEY
      remoteRef:
        key: API_KEY
    # Properties can be extracted from secrets that are JSON strings.
    - secretKey: JSON_KEY
      remoteRef:
        key: JSON_BLOB
        property: key
    # When referencing secrets in paths (other than `secretsPath`), the `key` must be an
    # absolute path to the secret.
    - secretKey: PASSWORD
      remoteRef:
        key: /my-app/SERVICE_PASSWORD

Fetch All Secrets

To sync all secrets from an Infisical , use the following YAML:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: infisical-managed-secrets
spec:
  secretStoreRef:
    kind: SecretStore
    name: infisical

  target:
    name: auth-api

  # dataFrom will fetch all secrets that are inside the `secretsPath`. When `recursive` is
  # enabled, it will also fetch all secrets recursively in sub-directories.
  dataFrom:
    - find:
        name:
          regexp: .*

Filtering secrets

To filter secrets by path (path prefix) and name (regular expression).

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: infisical-managed-secrets
spec:
  secretStoreRef:
    kind: SecretStore
    name: infisical

  target:
    name: auth-api

  dataFrom:
    - find:
        path: DB_