ContextQMD
Back to Infisical

Kubernetes Operator V1alpha1 Templating

docs/snippets/kubernetes-operator-v1alpha1-templating.mdx

0.160.92.4 KB
Original Source

import KubernetesOperatorTemplatingHelpers from "/snippets/kubernetes-operator-templating-helpers.mdx";

Templating

Fetching secrets from Infisical as-is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Secrets or ConfigMaps.

When a template is set, only the keys defined in template.data are included in the output unless includeAllSecrets is set to true. When no template is set, all fetched secrets are included as-is.

includeAllSecrets controls what secrets are included in your managed resource when using templates. When set to true, all secrets fetched from your Infisical project will be added into your managed Kubernetes resource. Use this option when you want to sync all secrets from Infisical to Kubernetes but template a subset of them. When set to false, only secrets defined in template.data will be included in the managed resource. Use this option when you want to sync only a subset of secrets from Infisical to Kubernetes.

Each secret is available in the template context as .SECRET_KEY, which is an object with two accessors:

  • .Value: the secret value.
  • .SecretPath: the path of the secret in Infisical.

Example template configuration

yaml
managedKubeSecretReferences:
  - secretName: managed-secret
    secretNamespace: default
    template:
      includeAllSecrets: true
      data:
        # Create a new secret key using values from other secrets
        NEW_KEY: "{{ .DB_PASSWORD.Value }}"
        # Override an existing secret key with a templated value
        API_URL: "https://api.{{.COMPANY_NAME.Value}}.{{.REGION.Value}}.com"

For this example, assume the following secrets exist in your Infisical project:

bash
DB_PASSWORD="secret123"
COMPANY_NAME="acme"
REGION="us-east-1"
API_URL="old-url"

The resulting managed Kubernetes resource will contain:

bash
# Original secrets from includeAllSecrets: true
DB_PASSWORD="secret123"
COMPANY_NAME="acme"
REGION="us-east-1"

# New and overridden templated secrets
NEW_KEY="secret123"
API_URL="https://api.acme.us-east-1.com"

To help transform your secrets further, the operator provides a set of built-in functions that you can use in your templates.

<KubernetesOperatorTemplatingHelpers />