docs/integrations/platforms/kubernetes/infisical-connection-crd.mdx
The InfisicalConnection CRD defines how the Infisical Operator connects to your Infisical instance. It holds the instance address and an optional TLS configuration. Once created, it can be referenced by multiple InfisicalAuth CRDs so you only need to define connection details once per Infisical instance.
apiVersion: secrets.infisical.com/v1beta1
kind: InfisicalConnection
metadata:
name: my-infisical-connection
spec:
address: https://app.infisical.com
# tls:
# caCertificate:
# name: secret-containing-ca-certificate
# key: ca.crt
# namespace: default
Apply the resource:
kubectl apply -f infisical-connection.yaml
When address is not defined, the operator connects to the address defined by the Helm value hostAPI.
For self-hosted instances, set this to https://your-self-hosted-instance.com.
</Accordion>
name: Name of the Kubernetes secret containing the CA certificate.namespace: Namespace of the Kubernetes secret containing the CA certificate.key: The key within the secret that holds the CA certificate value.tls:
caCertificate:
name: secret-containing-ca-certificate
namespace: default
key: ca.crt
You can check the status of your InfisicalConnection resource by inspecting its conditions:
kubectl get infisicalconnection my-infisical-connection -o jsonpath='{.status.conditions}' | jq
When the connection is healthy, the secrets.infisical.com/IsReady condition will have Status: "True" and Reason: "OK".
If the connection is unhealthy, Reason will be set to Error and Message will contain details about what went wrong.
The ObservedGeneration field indicates which generation of the resource spec the operator has last processed. If ObservedGeneration is less than metadata.generation, the operator has not yet reconciled the latest changes to the resource.