docs/integrations/platforms/kubernetes/overview.mdx
The Infisical Operator is a collection of Kubernetes controllers that streamline how secrets are managed between Infisical and your Kubernetes cluster. It provides multiple Custom Resource Definitions (CRDs) which enable you to:
InfisicalSecret).InfisicalPushSecret).InfisicalDynamicSecret).When these CRDs are configured, the Infisical Operator will continuously monitors for changes and performs necessary updates to keep your Kubernetes secrets up to date. It can also automatically reload dependent Deployments resources whenever relevant secrets are updated.
<Note> If you are already using the External Secrets operator, you can view the integration documentation for it [here](https://external-secrets.io/latest/provider/infisical/). </Note> <Tabs> <Tab title="Supported Kubernetes versions"> The following [Kubernetes minor releases](https://kubernetes.io/releases/) are currently supported. The latest operator version is tested against each Kubernetes version. It may work with other versions of Kubernetes, but those are not officially supported.- 1.33
- 1.32
- 1.31
- 1.30
- 1.29
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)
- Oracle Container Engine for Kubernetes (OKE)
- Red Hat OpenShift
It may work in other Kubernetes distributions, but those are not officially supported. Please report any issues [here](https://github.com/Infisical/infisical/issues).
The operator can be installed via Helm. Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.
Install the latest Helm repository
helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
helm repo update
The operator can be installed either cluster-wide or restricted to a specific namespace. If you require stronger isolation and stricter access controls, a namespace-scoped installation may make more sense.
<Tabs> <Tab title="Cluster Wide Installation"> When installing the operator cluster-wide, the operator will watch and manage CRDs across all namespaces in the cluster. This is the default installation method and the quickest way to get started with using the operator. Cluster-wide installations are useful for: - **Simplified Management**: A single operator instance manages secrets across all namespaces - **Centralized Operations**: One deployment to monitor, update, and maintain - **Cross-Namespace Flexibility**: Easily manage secrets for applications spanning multiple namespaces - **Quick Setup**: Works out of the box with no additional RBAC configuration required```bash
helm install --generate-name infisical-helm-charts/secrets-operator
```
- **Enhanced Security**: Limit the operator's permissions to only specific namespaces instead of cluster-wide access
- **Multi-tenant Clusters**: Run separate operator instances for different teams or applications
- **Resource Isolation**: Ensure operators in different namespaces don't interfere with each other
- **Development & Testing**: Run development and production operators side by side in isolated namespaces
<Note>
For multiple namespace-scoped installations, only the first installation should install CRDs. Subsequent installations should set `installCRDs: false` to avoid conflicts as CRDs are cluster-wide resources.
</Note>
### Single Namespace
```bash
# First namespace installation (with CRDs)
helm install operator-namespaced infisical-helm-charts/secrets-operator \
--namespace single-namespace \
--set scopedNamespaces=single-namespace \
--set scopedRBAC=true
```
<Accordion title="Using values.yaml file">
```yaml values-operator1.yaml
scopedNamespaces: single-namespace
scopedRBAC: true
installCRDs: true
```
</Accordion>
### Multiple Namespaces
```bash
helm install operator-1 infisical-helm-charts/secrets-operator \
--namespace ns1 \
--set scopedNamespaces=ns1 \
--set scopedRBAC=true \
--set installCRDs=true # Only install CRDs once in the cluster (default is true)
helm install operator-namespace2 infisical-helm-charts/secrets-operator \
--namespace ns2 \
--set scopedNamespaces=ns2 \
--set scopedRBAC=true \
--set installCRDs=false # Do not install CRDs in subsequent namespace installations
```
<Accordion title="Using values.yaml file">
```yaml values-operator1.yaml
scopedNamespaces: ns1
scopedRBAC: true
installCRDs: false
```
```yaml values-operator2.yaml
scopedNamespaces: ns2
scopedRBAC: true
installCRDs: false
```
</Accordion>
### Multiple namespaces with one operator installation
```bash
helm install operator infisical-helm-charts/secrets-operator \
--namespace operator-namespace \
--set "scopedNamespaces={ns1,ns2,ns3}" \
--set scopedRBAC=true
```
<Accordion title="Using values.yaml file">
```yaml values.yaml
scopedNamespaces:
- ns1
- ns2
- ns3
scopedRBAC: true
```
</Accordion>
By default a service account is created for the operator based on the operator release name.
You can bring your own service account by setting controllerManager.serviceAccount.create to false and setting controllerManager.serviceAccount.name to the name of the service account you want to use in your values.yaml file.
Example values.yaml file:
controllerManager:
serviceAccount:
create: false
name: my-service-account
# other values...
Currently the operator supports the following CRD's. We are constantly expanding the functionality of the operator, and this list will be updated as new CRD's are added.
The operator exposes Prometheus metrics on /metrics for monitoring reconciliation performance, errors, and resource utilization.
Enable the ServiceMonitor during installation. This will create a prometheus ServiceMonitor resource in the same namespace as the operator.
telemetry:
serviceMonitor:
enabled: true
# ... other telemetry configuration (optional) ...
telemetry:
serviceMonitor:
enabled: true
selectors: {}
scheme: https
port: https
path: /metrics
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
scrapeTimeout: 10s
The operator exposes standard controller-runtime metrics. For a complete list of available metrics, see the Kubebuilder metrics reference.
Key metrics to monitor:
controller_runtime_reconcile_total - Reconciliation countcontroller_runtime_reconcile_errors_total - Error countcontroller_runtime_reconcile_time_seconds - Reconciliation durationControllers: InfisicalSecret, InfisicalPushSecret, InfisicalDynamicSecret
helm install prometheus prometheus-community/kube-prometheus-stack \
--namespace monitoring \
--create-namespace
```
helm install infisical-secrets-operator infisical-helm-charts/secrets-operator \
--set telemetry.serviceMonitor.enabled=true
```
Check that the ServiceMonitor appears in your operator's namespace.
Open [http://localhost:9090/targets](http://localhost:9090/targets) and verify the operator target shows **UP**.
# Total reconciliations
controller_runtime_reconcile_total
# P99 latency
histogram_quantile(0.99, rate(controller_runtime_reconcile_time_seconds_bucket[5m]))
# Memory usage (MB)
process_resident_memory_bytes / 1024 / 1024
To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the CRD to point to a CA certificate stored in a Kubernetes secret resource.
---
spec:
hostAPI: https://app.infisical.com/api
tls:
caRef:
secretName: custom-ca-certificate
secretNamespace: default
key: ca.crt
---
With the Infisical Secrets Operator, you can use templating to dynamically generate secrets in Kubernetes. The templating is built on top of Go templates, which is a powerful and flexible template engine built into Go.
Please be aware that trying to reference non-existing keys will result in an error. Additionally, each template field is processed individually, which means one template field cannot reference another template field.
<Note> Please note that templating is currently only supported for the `InfisicalPushSecret` and `InfisicalSecret` CRDs. </Note>The Infisical Secrets Operator exposes a wide range of helper functions to make it easier to work with secrets in Kubernetes.
| Function | Description | Signature |
|---|---|---|
decodeBase64ToBytes | Given a base64 encoded string, this function will decode the base64-encoded string. | decodeBase64ToBytes(encodedString string) string |
encodeBase64 | Given a string, this function will encode the string to a base64 encoded string. | encodeBase64(plainString string) string |
pkcs12key | Extracts all private keys from a PKCS#12 archive and encodes them in PKCS#8 PEM format. | pkcs12key(input string) string |
pkcs12keyPass | Same as pkcs12key. Uses the provided password to decrypt the PKCS#12 archive. | pkcs12keyPass(pass string, input string) string |
pkcs12cert | Extracts all certificates from a PKCS#12 archive and orders them if possible. If disjunct or multiple leaf certs are provided they are returned as-is. Sort order: leaf / intermediate(s) / root. | pkcs12cert(input string) string |
pkcs12certPass | Same as pkcs12cert. Uses the provided password to decrypt the PKCS#12 archive. | pkcs12certPass(pass string, input string) string |
pemToPkcs12 | Takes a PEM encoded certificate and key and creates a base64 encoded PKCS#12 archive. | pemToPkcs12(cert string, key string) string |
pemToPkcs12Pass | Same as pemToPkcs12. Uses the provided password to encrypt the PKCS#12 archive. | pemToPkcs12Pass(cert string, key string, pass string) string |
fullPemToPkcs12 | Takes a PEM encoded certificates chain and key and creates a base64 encoded PKCS#12 archive. | fullPemToPkcs12(cert string, key string) string |
fullPemToPkcs12Pass | Same as fullPemToPkcs12. Uses the provided password to encrypt the PKCS#12 archive. | fullPemToPkcs12Pass(cert string, key string, pass string) string |
filterPEM | Filters PEM blocks with a specific type from a list of PEM blocks.. | filterPEM(pemType string, input string) string |
filterCertChain | Filters PEM block(s) with a specific certificate type (leaf, intermediate or root) from a certificate chain of PEM blocks (PEM blocks with type CERTIFICATE). | filterCertChain(certType string, input string) string |
jwkPublicKeyPem | Takes an json-serialized JWK and returns an PEM block of type PUBLIC KEY that contains the public key. See here for details. | jwkPublicKeyPem(jwkjson string) string |
jwkPrivateKeyPem | Takes an json-serialized JWK and returns an PEM block of type PRIVATE KEY that contains the private key. See here for details. | jwkPrivateKeyPem(jwkjson string) string |
toYaml | Takes an interface, marshals it to yaml. It returns a string, even on marshal error (empty string). | toYaml(v any) string |
fromYaml | Function converts a YAML document into a map[string]any. | fromYaml(str string) map[string]any |
The Infisical Secrets Operator integrates with the Sprig library to provide additional helper functions.
<Note> We've removed `expandEnv` and `env` from the supported functions for security reasons. </Note>To configure global settings that will apply to all CRD instances (InfisicalSecret, InfisicalPushSecret, and InfisicalDynamicSecret), you can define these configurations in a Kubernetes ConfigMap.
For example, you can configure all CRD instances to fetch secrets from a single backend API without specifying the hostAPI parameter for each instance.
| Property | Description | Default value |
|---|---|---|
| hostAPI | If hostAPI in a CRD instance is left empty, this value will be used | https://app.infisical.com/api |
| tls.caRef.secretName | If tls.caRef.secretName in a CRD instance is left empty, this value will be used | - |
| tls.caRef.secretNamespace | If tls.caRef.secretNamespace in a CRD instance is left empty, this value will be used | - |
| tls.caRef.key | If tls.caRef.key in a CRD instance is left empty, this value will be used | - |
All global configurations must reside in a Kubernetes ConfigMap named infisical-config in the namespace infisical-operator-system.
To apply global configuration to the operator, copy the following yaml into infisical-config.yaml file.
apiVersion: v1
kind: Namespace
metadata:
name: infisical-operator-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: infisical-config
namespace: infisical-operator-system
data:
hostAPI: https://example.com/api # <-- global hostAPI
tls.caRef.secretName: custom-ca-certificate # <-- global TLS CA secret name
tls.caRef.secretNamespace: default # <-- global TLS CA secret namespace
tls.caRef.key: ca.crt # <-- global TLS CA secret key
Then apply this change via kubectl by running the following
kubectl apply -f infisical-config.yaml
If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
It will continue attempting to reconnect to the API indefinitely.
The InfisicalSecret resource uses the status.conditions field to report its current state and any errors encountered.
$ kubectl get infisicalSecrets
NAME AGE
infisicalsecret-sample 12s
$ kubectl describe infisicalSecret infisicalsecret-sample
...
Spec:
...
Status:
Conditions:
Last Transition Time: 2022-12-18T04:29:09Z
Message: Infisical controller has located the Infisical token in provided Kubernetes secret
Reason: OK
Status: True
Type: secrets.infisical.com/LoadedInfisicalToken
Last Transition Time: 2022-12-18T04:29:10Z
Message: Failed to update secret because: 400 Bad Request
Reason: Error
Status: False
Type: secrets.infisical.com/ReadyToSyncSecrets
Events: <none>
The managed secret created by the operator will not be deleted when the operator is uninstalled.
<Tabs> <Tab title="Helm"> Uninstall Infisical Helm repository ```bash helm uninstall <release name> ``` </Tab> </Tabs>