Infisical POC AGP¶
Imported from Confluence
Content may be outdated. Verify before following any procedures. View original | Last updated: November 2025
Infisical agent (cli)¶
Key features¶
- Token renewal: Automatically authenticates with Infisical and deposits renewed access tokens at specified path for applications to consume
- Templating: Renders secrets via user-provided templates to desired formats for applications to consume
Here is an example of client configuration file:
infisical:
address: "https://eu.infisical.com"
auth:
type: "universal-auth"
config:
client-id: "./client-id"
client-secret: "./client-secret"
remove_client_secret_on_read: false
sinks:
- type: "file"
config:
path: "/home/user/infisical/access-token"
templates:
- source-path: ssb-secret-template
destination-path: /home/user/infisical/database.cnf
config:
polling-interval: 60s
execute:
timeout: 30
command: ./reload-app.sh
- source-path: ssb-secret-template2
destination-path: /home/user/infisical/somesecret
config:
polling-interval: 60s
execute:
timeout: 30
command: ./export-env.sh #The command to execute when secret change is detected
Tested DSP use case with creating .cnf file for MySQL DB authorization
Template example:
{{- with getSecretByName "263b54ed-9265-4a9d-b007-ae1537f107b3" "dev" "/dev/" "DBFILE" }}
{{ if .Value }}
{{ .Value }}
{{ end }}
{{ end }}
Infisical client supports multiple authentication methods for PoC The Universal Auth method was used.
Dynamic secrets for Database access.¶
Infisical supports Dynamic secrets for PostgreSQL and MySQL as well. And plenty of other templates.
Tried Dynamic secrets creation for MySQL 5.7, MySQL 8.0, PostgreSQL 14, PostgreSQL 17.
You can edit which SQL query will create and drop user, so you can control to wich database you provide access.
Users are created with a random name and password. We can change password configuration but can't change user names.
But the Max TTL for dynamic users is 24h, which does not fit for static user management.
Also, It is possible to prolong the lease using UI or CLI for the next 23h.
Also, you can use infiscal cli to create or prolong a lease.
infisical dynamic-secrets lease create /dev/mysql8 --domain https://eu.infisical.com --projectId 263b54ed-9265-4a9d-b007-ae1537f107b3
Database user password rotation¶
- Infisical supports password rotation for PostgreSQL
- Does not support MySQL database secret rotation
One of the disadvantages is that you need to grant admin permission on each user for the Infisical user.
SSH access¶
Infisical supports SSH key management and user permission management to access internal OS users.
Also, per our request, they now support Host Groups in templating access for the same type of instances.
Here is an example of a Command on how to register a host on startup.
sudo infisical ssh add-host --domain https://eu.infisical.com --projectId=59203b5d-beb2-45c0-ab5d-3f40f210127a --hostname=test-ssb-ssh --token="$INFISICAL_TOKEN" --writeUserCaToFile --writeHostCertToFile --configureSshd --host-group ssb-prod
To login via ssh you need to use Infisical CLI .
Infisical Operator¶
Infisical operator provides multiple Custom Resource Definitions (CRDs) which enable you to:
- Sync secrets from Infisical into Kubernetes (
InfisicalSecret). - Push new secrets from Kubernetes to Infisical (
InfisicalPushSecret). - Manage dynamic secrets and automatically create time-bound leases (
InfisicalDynamicSecret).
Here is example how to fetch secrets
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
labels:
app.kubernetes.io/instance: infisical-poc-dsp
name: infisicalsecret-config
namespace: infisical-dev
spec:
authentication:
serviceToken:
secretsScope:
envSlug: dev
secretsPath: /dev
serviceTokenSecretReference:
secretName: dsp-gke-token
secretNamespace: infisical-dev
hostAPI: https://eu.infisical.com/api
managedKubeSecretReferences:
- secretName: config-secret
secretNamespace: infisical-dev
template:
includeAllSecrets: false
data:
DBFILE: "{{ .DBFILE.Value }}"
resyncInterval: 10
Secrets will be created in the specified SecretNamespace value:
Also, Infisical supports using CSI provider to directly inject secrets to a pod as a volume and do not use Kubernetes secrets at all.
After installing csi driver helm chart, you need to create SecretProviderClass and attach it to the pod confiuration.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-infisical-app-csi-provider
spec:
provider: infisical
parameters:
infisicalUrl: "https://app.infisical.com"
authMethod: "kubernetes"
identityId: "ad2f8c67-cbe2-417a-b5eb-1339776ec0b3"
projectId: "09eda1f8-85a3-47a9-8a6f-e27f133b2a36"
envSlug: "prod"
secrets: |
- secretPath: "/"
fileName: "dbPassword"
secretKey: "DB_PASSWORD"
- secretPath: "/app"
fileName: "appSecret"
secretKey: "APP_SECRET"
Pod configuration:
apiVersion: v1
kind: Pod
metadata:
name: nginx-secrets-store
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-infisical-app-csi-provider"
Self-hosted Infisical¶
Infisical provides Helm chart to install a Self-hosted environment.
Infisical chart also deploys: Redis, Postgres, and Nginx ingress controller.
Jenkins Plugin¶
Infisical also has Jenkins plugin that can get values and set them to environment variables.
Pipeline example:
node {
withInfisical(
configuration: [
infisicalCredentialId: 'jenkins-dsp-id',
infisicalEnvironmentSlug: 'dev',
infisicalProjectSlug: 'dsp-c5-ai',
infisicalUrl: 'https://eu.infisical.com' // Change this to your Infisical instance URL if you aren't using Infisical Cloud.
],
infisicalSecrets: [
infisicalSecret(
includeImports: true,
path: '/dev',
secretValues: [
[infisicalKey: 'DBFILE'],
[infisicalKey: "default"],
[infisicalKey: 'THIS_KEY_MIGHT_NOT_EXIST', isRequired: false],
]
)
]
) {
// Code runs here
sh "printenv"
sh "echo $DBFILE"
sh """
cat <<EOF > dbfile.cnf
$DBFILE
"""
sh "cat dbfile.cnf "
}
}
