Unofficial Infisical provider for the Secret Store CSI Driver.
- Prepare a Kubernetes Cluser running Secret Store SCI Driver
- Install Infisical secret proivder
- If you can use HELM:
helm repo add secrets-store-csi-driver-provider-infisical https://raw.githubusercontent.com/gidoichi/secrets-store-csi-driver-provider-infisical/main/charts helm install secrets-store-csi-driver-provider-infisical secrets-store-csi-driver-provider-infisical/secrets-store-csi-driver-provider-infisical - If you want to use kubectl (Using HELM is recommended, as some features are excluded from
./deployment):kubectl apply -f ./deployment/infisical-csi-provider.yaml
- If you can use HELM:
This feature implements a ValidatingAdmissionWebhook to reject invalid SecretProviderClass. When enabled, invalid SecretProviderClass, such as those with unspecified required fields or specify unknown fields, cannot be created.
For example:
$ cat secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: example-provider-infisical
spec:
provider: infisical
parameters:
$ kubectl apply -f secretproviderclass.yaml
Error from server: error when creating "secretproviderclass.yaml": admission webhook "vsecretproviderclass.kb.io" denied the request: spec.parameters: Key: 'MountConfig.projectSlug' Error:Field validation for 'projectSlug' failed on the 'required' tag
Key: 'MountConfig.envSlug' Error:Field validation for 'envSlug' failed on the 'required' tag
Key: 'MountConfig.authSecretName' Error:Field validation for 'authSecretName' failed on the 'required' tag
Key: 'MountConfig.authSecretNamespace' Error:Field validation for 'authSecretNamespace' failed on the 'required' tagTo be enabled:
- In "Install Infisical secret proivder" step, add the option
--set webhook.enable=truewhen runninghelm install
- Create a new Infisical client using Universal Auth
- Store the Client ID and the Client Secret to a Kubernetes Secret as
client-idkey andclient-secretkey respectively# You can create a secret using the following command or applying `./examples/secret.yaml` after it is edited kubectl create secret generic infisical-secret-provider-auth-credentials --from-literal="client-id=$id" --from-literal="client-secret=$secret" - Create an SecretProviderClass referencing the secret
# You should edit secretproviderclass.yaml to get secrets from provider kubectl apply -f ./examples/secretproviderclass.yaml - Create an Pod using the SecretProviderClass
# This deployment lists and reads all secrets, then output logs of their contents kubectl apply -f ./examples/deployment.yaml
Some features are not supported by this provider. Please refer to this link for the list of features supported by the Secret Store CSI Driver.
| Features | Supported |
|---|---|
| Sync as Kubernetes Secret | Yes |
| Rotation | No |
| Windows | No |
| Helm Chart | Yes |
The following are tested scenarios as part of CI. More detailed descriptions of these scenarios are available here.
| Test Category | Status |
|---|---|
| Mount tests |  |
| Sync as Kubernetes secrets |  |
| Namespaced Scope SecretProviderClass |  |
| Namespaced Scope SecretProviderClass negative test |  |
| Multiple SecretProviderClass |  |
| Autorotation of mount contents and Kubernetes secrets |  |
Test filtered watch for nodePublishSecretRef feature |
 |
| Windows tests |  |