Infrastructure Integrations
- Container orchestrators
- Infisical Agent
- Docker
- Terraform Provider
- Ansible
Native Integrations
CI/CD Integrations
Framework Integrations
Build Tool Integrations
Using the InfisicalPushSecret CRD
Learn how to use the InfisicalPushSecret CRD to push and manage secrets in Infisical.
Push Secrets to Infisical
Example usage
Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.
After filling out the fields in the InfisicalPushSecret CRD, you can apply it directly to your cluster.
Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes secret containing the secrets you want to push to Infisical. An example can be seen below the InfisicalPushSecret CRD.
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalPushSecret
metadata:
name: infisical-push-secret-demo
spec:
resyncInterval: 1m
hostAPI: https://app.infisical.com/api
# Optional, defaults to no replacement.
updatePolicy: Replace # If set to replace, existing secrets inside Infisical will be replaced by the value of the PushSecret on sync.
# Optional, defaults to no deletion.
deletionPolicy: Delete # If set to delete, the secret(s) inside Infisical managed by the operator, will be deleted if the InfisicalPushSecret CRD is deleted.
destination:
projectId: <project-id>
environmentSlug: <env-slug>
secretsPath: <secret-path>
push:
secret:
secretName: push-secret-demo # Secret CRD
secretNamespace: default
# Only have one authentication method defined or you are likely to run into authentication issues.
# Remove all except one authentication method.
authentication:
awsIamAuth:
identityId: <machine-identity-id>
azureAuth:
identityId: <machine-identity-id>
gcpIamAuth:
identityId: <machine-identity-id>
serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
gcpIdTokenAuth:
identityId: <machine-identity-id>
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <secret-name>
namespace: <secret-namespace>
universalAuth:
credentialsRef:
secretName: <secret-name> # universal-auth-credentials
secretNamespace: <secret-namespace> # default
apiVersion: v1
kind: Secret
metadata:
name: push-secret-demo
namespace: default
stringData: # can also be "data", but needs to be base64 encoded
API_KEY: some-api-key
DATABASE_URL: postgres://127.0.0.1:5432
ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
kubectl apply -f source-secret.yaml
After applying the soruce-secret.yaml file, you are ready to apply the InfisicalPushSecret CRD.
kubectl apply -f infisical-push-secret.yaml
After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.
InfisicalPushSecret CRD properties
If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI
to
https://your-self-hosted-instace.com/api
When hostAPI
is not defined the operator fetches secrets from Infisical Cloud.
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet. To achieve this, use the following address for the hostAPI field:
http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
Make sure to replace <backend-svc-name>
and <namespace>
with the appropriate values for your backend service and namespace.
The resyncInterval
is a string-formatted duration that defines the time between each resync.
The format of the field is [duration][unit]
where duration
is a number and unit
is a string representing the unit of time.
The following units are supported:
s
for seconds (must be at least 5 seconds)m
for minutesh
for hoursd
for daysw
for weeks
The default value is 1m
(1 minute).
Valid intervals examples:
resyncInterval: 5s # 10 seconds
resyncInterval: 10s # 10 seconds
resyncInterval: 5m # 5 minutes
resyncInterval: 1h # 1 hour
resyncInterval: 1d # 1 day
The field is optional and will default to None
if not defined.
The update policy defines how the operator should handle conflicting secrets when pushing secrets to Infisical.
Valid values are None
and Replace
.
Behavior of each policy:
None
: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.Replace
: The operator will replace existing secrets in Infisical with the new secrets. If a secret with the same key already exists, the operator will update the secret with the new value.
spec:
updatePolicy: Replace
This field is optional and will default to None
if not defined.
The deletion policy defines what the operator should do in case the InfisicalPushSecret CRD is deleted.
Valid values are None
and Delete
.
Behavior of each policy:
None
: The operator will not delete the secrets in Infisical when the InfisicalPushSecret CRD is deleted.Delete
: The operator will delete the secrets in Infisical that are managed by the operator when the InfisicalPushSecret CRD is deleted.
spec:
deletionPolicy: Delete
The destination
field is used to specify where you want to create the secrets in Infisical. The required fields are projectId
, environmentSlug
, and secretsPath
.
spec:
destination:
projectId: <project-id>
environmentSlug: <env-slug>
secretsPath: <secrets-path>
The project ID where you want to create the secrets in Infisical.
The environment slug where you want to create the secrets in Infisical.
The path where you want to create the secrets in Infisical. The root path is /
.
The push
field is used to define what you want to push to Infisical. Currently the operator only supports pushing Kubernetes secrets to Infisical. An example of the push
field is shown below.
The secret
field is used to define the Kubernetes secret you want to push to Infisical. The required fields are secretName
and secretNamespace
.
Example usage of the push.secret
field:
push:
secret:
secretName: push-secret-demo
secretNamespace: default
apiVersion: v1
kind: Secret
metadata:
name: push-secret-demo
namespace: default
# Pass in the secrets you wish to push to Infisical
stringData:
API_KEY: some-api-key
DATABASE_URL: postgres://127.0.0.1:5432
ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
The authentication
field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth
, kubernetesAuth
, awsIamAuth
, azureAuth
, gcpIdTokenAuth
, and gcpIamAuth
.
The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider. Read more about Universal Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.credentialsRef
: The name and namespace of the Kubernetes secret that stores the service token.credentialsRef.secretName
: The name of the Kubernetes secret.credentialsRef.secretNamespace
: The namespace of the Kubernetes secret.
Example:
# infisical-push-secret.yaml
spec:
universalAuth:
credentialsRef:
secretName: <secret-name>
secretNamespace: <secret-namespace>
# machine-identity-credentials.yaml
apiVersion: v1
kind: Secret
metadata:
name: universal-auth-credentials
type: Opaque
stringData:
clientId: <machine-identity-client-id>
clientSecret: <machine-identity-client-secret>
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment. Read more about Kubernetes Auth. Valid fields:
identityId
: The identity ID of the machine identity you created.serviceAccountRef
: The name and namespace of the service account that will be used to authenticate with Infisical.serviceAccountRef.name
: The name of the service account.serviceAccountRef.namespace
: The namespace of the service account.
Example:
spec:
kubernetesAuth:
identityId: <machine-identity-id>
serviceAccountRef:
name: <secret-name>
namespace: <secret-namespace>
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Read more about AWS IAM Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.
Example:
spec:
authentication:
awsIamAuth:
identityId: <machine-identity-id>
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment. Read more about Azure Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.
Example:
spec:
authentication:
azureAuth:
identityId: <machine-identity-id>
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments. Read more about Azure Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.serviceAccountKeyFilePath
: The path to the GCP service account key file.
Example:
spec:
gcpIamAuth:
identityId: <machine-identity-id>
serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments. Read more about Azure Auth.
Valid fields:
identityId
: The identity ID of the machine identity you created.
Example:
spec:
gcpIdTokenAuth:
identityId: <machine-identity-id>
This block defines the TLS settings to use for connecting to the Infisical instance.
Fields:
This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Valid fields:
secretName
: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.secretNamespace
: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.key
: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Example:
tls:
caRef:
secretName: custom-ca-certificate
secretNamespace: default
key: ca.crt
Applying the InfisicalPushSecret CRD to your cluster
Once you have configured the InfisicalPushSecret
CRD with the required fields, you can apply it to your cluster.
After applying, you should notice that the secrets have been pushed to Infisical.
kubectl apply -f source-push-secret.yaml # The secret that you're referencing in the InfisicalPushSecret CRD push.secret field
kubectl apply -f example-infisical-push-secret-crd.yaml # The InfisicalPushSecret CRD itself