Kubernetes CSI
How to use Infisical to inject secrets directly into Kubernetes pods.
Overview
The Infisical CSI provider allows you to use Infisical with the Secrets Store CSI driver to inject secrets directly into your Kubernetes pods through a volume mount. In contrast to the Infisical Kubernetes Operator, the Infisical CSI provider will allow you to sync Infisical secrets directly to pods as files, removing the need for Kubernetes secret resources.
Features
The following features are supported by the Infisical CSI Provider:
- Integration with Secrets Store CSI Driver for direct pod mounting
- Authentication using Kubernetes service accounts via machine identities
- Auto-syncing secrets when enabled via CSI Driver
- Configurable secret paths and file mounting locations
- Installation via Helm
Prerequisites
The Infisical CSI provider is only supported for Kubernetes clusters with version >= 1.20.
Limitations
Currently, the Infisical CSI provider only supports static secrets.
Deploy to Kubernetes cluster
Install Secrets Store CSI Driver
In order to use the Infisical CSI provider, you will first have to install the Secrets Store CSI driver to your cluster. It is important that you define the audience value for token requests as demonstrated below. The Infisical CSI provider will NOT WORK if this is not set.
The flags configure the following:
tokenRequests[0].audience=infisical
: Sets the audience value for service account token authentication (required)enableSecretRotation=true
: Enables automatic secret updates from InfisicalrotationPollInterval=2m
: Checks for secret updates every 2 minutessyncSecret.enabled=true
: Enables syncing secrets to Kubernetes secrets
If you do not wish to use the auto-syncing feature of the secrets store CSI
driver, you can omit the enableSecretRotation
and the rotationPollInterval
flags. Do note that by default, secrets from Infisical are only fetched and
mounted during pod creation. If there are any changes made to the secrets in
Infisical, they will not propagate to the pods unless auto-syncing is enabled
for the CSI driver.
Install Infisical CSI Provider
You would then have to install the Infisical CSI provider to your cluster.
Install the latest Infisical Helm repository
Install the Helm Chart
For a list of all supported arguments for the helm installation, you can run the following:
Authentication
In order for the Infisical CSI provider to pull secrets from your Infisical project, you will have to configure a machine identity with Kubernetes authentication configured with your cluster. You can refer to the documentation for setting it up here.
The allowed audience field of the Kubernetes authentication settings should match the audience specified for the Secrets Store CSI driver during installation.
Creating Secret Provider Class
With the Secrets Store CSI driver and the Infisical CSI provider installed, create a Kubernetes SecretProviderClass resource to establish the connection between the CSI driver and the Infisical CSI provider for secret retrieval. You can create as many Secret Provider Classes as needed for your cluster.
The SecretProviderClass should be provisioned in the same namespace as the pod you intend to mount secrets to.
Supported Parameters
Using Secret Provider Class
A pod can use the Secret Provider Class by mounting it as a CSI volume:
When the pod is created, the secrets are mounted as individual files in the /mnt/secrets-store directory.
Verifying Secret Mounts
To verify your secrets are mounted correctly:
Troubleshooting
To troubleshoot issues with the Infisical CSI provider, refer to the logs of the Infisical CSI provider running on the same node as your pod.
You can also refer to the logs of the secrets store CSI driver. Modify the command below with the appropriate pod and namespace of your secrets store CSI driver installation.
Common issues include:
- Mismatch in the audience value of the CSI driver with the machine identity’s Kubernetes auth configuration
- SecretProviderClass in the wrong namespace
- Invalid machine identity configuration
- Incorrect secret paths or keys
Best Practices
For additional guidance on setting this up for your production cluster, you can refer to the Secrets Store CSI driver documentation here.