Kubernetes Operator

The Infisical Operator is a collection of Kubernetes controllers that streamline how secrets are managed between Infisical and your Kubernetes cluster. It provides multiple Custom Resource Definitions (CRDs) which enable you to:

Sync secrets from Infisical into Kubernetes (InfisicalSecret).
Push new secrets from Kubernetes to Infisical (InfisicalPushSecret).
Manage dynamic secrets and automatically create time-bound leases (InfisicalDynamicSecret).

When these CRDs are configured, the Infisical Operator will continuously monitors for changes and performs necessary updates to keep your Kubernetes secrets up to date. It can also automatically reload dependent Deployments resources whenever relevant secrets are updated.

If you are already using the External Secrets operator, you can view the integration documentation for it here.

Install

The operator can be install via Helm. Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.

Install the latest Helm repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'

helm repo update

The operator can be installed either cluster-wide or restricted to a specific namespace. If you require stronger isolation and stricter access controls, a namespace-scoped installation may make more sense.

helm install --generate-name infisical-helm-charts/secrets-operator

helm install --generate-name infisical-helm-charts/secrets-operator

The operator can be configured to watch and manage secrets in a specific namespace instead of having cluster-wide access. This is useful for:

Enhanced Security: Limit the operator’s permissions to only specific namespaces instead of cluster-wide access
Multi-tenant Clusters: Run separate operator instances for different teams or applications
Resource Isolation: Ensure operators in different namespaces don’t interfere with each other
Development & Testing: Run development and production operators side by side in isolated namespaces

Note: For multiple namespace-scoped installations, only the first installation should install CRDs. Subsequent installations should set installCRDs: false to avoid conflicts.

# First namespace installation (with CRDs)
helm install operator-namespace1 infisical-helm-charts/secrets-operator \
  --namespace first-namespace \
  --set scopedNamespace=first-namespace \
  --set scopedRBAC=true

# Subsequent namespace installations
helm install operator-namespace2 infisical-helm-charts/secrets-operator \
  --namespace another-namespace \
  --set scopedNamespace=another-namespace \
  --set scopedRBAC=true \
  --set installCRDs=false

When scoped to a namespace, the operator will:

Only watch InfisicalSecrets in the specified namespace
Only create/update Kubernetes secrets in that namespace
Only access deployments in that namespace

The default configuration gives cluster-wide access:

installCRDs: true # Install CRDs (set to false for additional namespace installations)
scopedNamespace: "" # Empty for cluster-wide access
scopedRBAC: false # Cluster-wide permissions

If you want to install operators in multiple namespaces simultaneously:

Make sure to set installCRDs: false for all but one of the installations to avoid conflicts, as CRDs are cluster-wide resources.
Use unique release names for each installation (e.g., operator-namespace1, operator-namespace2).

Custom Resource Definitions

Currently the operator supports the following CRD’s. We are constantly expanding the functionality of the operator, and this list will be updated as new CRD’s are added.

InfisicalSecret: Sync secrets from Infisical to a Kubernetes secret.
InfisicalPushSecret: Push secrets from a Kubernetes secret to Infisical.
InfisicalDynamicSecret: Sync dynamic secrets and create leases automatically in Kubernetes.

General Configuration

Private/self-signed certificate

To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the CRD to point to a CA certificate stored in a Kubernetes secret resource.

---
spec:
  hostAPI: https://app.infisical.com/api
  tls:
    caRef:
      secretName: custom-ca-certificate
      secretNamespace: default
      key: ca.crt
---

Global configuration

To configure global settings that will apply to all instances of InfisicalSecret, you can define these configurations in a Kubernetes ConfigMap. For example, you can configure all InfisicalSecret instances to fetch secrets from a single backend API without specifying the hostAPI parameter for each instance.

Available global properties

Property	Description	Default value
hostAPI	If `hostAPI` in `InfisicalSecret` instance is left empty, this value will be used	https://app.infisical.com/api

Applying global configurations

All global configurations must reside in a Kubernetes ConfigMap named infisical-config in the namespace infisical-operator-system. To apply global configuration to the operator, copy the following yaml into infisical-config.yaml file.

infisical-config.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: infisical-operator-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: infisical-config
  namespace: infisical-operator-system
data:
  hostAPI: https://example.com/api # <-- global hostAPI

Then apply this change via kubectl by running the following

kubectl apply -f infisical-config.yaml

Troubleshoot operator

If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret. It will continue attempting to reconnect to the API indefinitely. The InfisicalSecret resource uses the status.conditions field to report its current state and any errors encountered.

$ kubectl get infisicalSecrets
NAME                     AGE
infisicalsecret-sample   12s

$ kubectl describe infisicalSecret infisicalsecret-sample
...
Spec:
...
Status:
  Conditions:
    Last Transition Time:  2022-12-18T04:29:09Z
    Message:               Infisical controller has located the Infisical token in provided Kubernetes secret
    Reason:                OK
    Status:                True
    Type:                  secrets.infisical.com/LoadedInfisicalToken
    Last Transition Time:  2022-12-18T04:29:10Z
    Message:               Failed to update secret because: 400 Bad Request
    Reason:                Error
    Status:                False
    Type:                  secrets.infisical.com/ReadyToSyncSecrets
Events:                    <none>

Uninstall Operator

The managed secret created by the operator will not be deleted when the operator is uninstalled.

Install Infisical Helm repository

helm uninstall <release name>

Infrastructure Integrations

App Connections

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Kubernetes Operator

Install

Custom Resource Definitions

General Configuration

Private/self-signed certificate

Global configuration

Available global properties

Applying global configurations

Troubleshoot operator

Uninstall Operator

Infrastructure Integrations

App Connections

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

​Install

​Custom Resource Definitions

​General Configuration

​Private/self-signed certificate

​Global configuration

​Available global properties

​Applying global configurations

​Troubleshoot operator

​Uninstall Operator

Install

Custom Resource Definitions

General Configuration

Private/self-signed certificate

Global configuration

Available global properties

Applying global configurations

Troubleshoot operator

Uninstall Operator