Skip to content

infisical

Metadata

Field Value
Service infisical
Purpose Self-hosted secret-management control plane for future GitOps secret workflows
Criticality Tier 1
Owner Platform / Security owner
Clusters local
Namespace infisical
Exposure internet
Stateful yes
Backup class snapshot
RPO / RTO Daily backup target, 2 to 4 hours to restore after the backup path is validated
Last reviewed 2026-06-30

1. Service Overview

Infisical provides a central place to store and manage secrets that will later feed GitOps workflows. This first deployment only brings up the standalone service and its in-cluster Postgres and Redis dependencies; it does not migrate existing repository secrets or install a secret-sync operator.

Summary

If Infisical is unavailable, operators cannot use it for new secret-management workflows. Existing services continue using their current secret sources until a separate migration is planned.

Dependencies

Dependency Type Why it matters
Traefik ingress External HTTPS access to the UI and API
Postgres database Persistent Infisical application state
Redis cache/session Runtime cache and queue dependency
local-path storage PVC provisioning for the standalone local deployment

2. Architecture Diagram

[Operator / CLI / API client]
  -> [Traefik]
  -> [Infisical Deployment]
       -> [infisical-postgres PVC]
       -> [infisical-redis PVC]

3. Deployment Specifications

Item Value
Source path infisical/base and infisical/overlays/local
Deployment model Kustomize plus Fleet bundle
Namespace infisical
Workload kind Deployment plus Postgres and Redis StatefulSets
Images infisical/infisical:v0.161.10, postgres:16.14-alpine, redis:7.4.9-alpine
Storage local-path, Postgres 8Gi, Redis 1Gi
Probes Infisical GET /api/status, Postgres pg_isready, Redis redis-cli ping
RBAC No dedicated RBAC; ServiceAccount token automount disabled
Config files base/kustomization.yaml, overlays/local/kustomization.yaml, fleet.yaml

Cluster mapping

Cluster Overlay path Notes
local infisical/overlays/local Current standalone deployment

4. Configuration Guide

Environment variables

Variable Source Purpose Secret?
SITE_URL ConfigMap infisical-config Public URL for callbacks and generated links no
NODE_ENV ConfigMap infisical-config Production runtime mode no
ENCRYPTION_KEY Secret infisical-secrets 256-bit base64-encoded AES-256-GCM key for KMS encryption. Generate with openssl rand -base64 32 yes
ROOT_ENCRYPTION_KEY Secret infisical-secrets Optional dedicated 256-bit base64 KMS root key; takes precedence over ENCRYPTION_KEY for KMS when set yes
AUTH_SECRET Secret infisical-secrets JWT and auth signing secret yes
POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB Secret infisical-secrets Postgres bootstrap and app connection values yes
REDIS_PASSWORD Secret infisical-secrets Redis authentication yes
DB_CONNECTION_URI, REDIS_URL Deployment env expansion Runtime dependency connection strings yes

Because DB_CONNECTION_URI and REDIS_URL are assembled by Kubernetes environment-variable expansion, choose URI-safe Postgres and Redis passwords or plan a follow-up that stores pre-encoded connection strings in the Secret.

ConfigMaps

Resource Path Purpose
infisical-config infisical/overlays/local/infisical-configmap.yaml Non-secret runtime URL and mode

Secrets management

  • Secret name: infisical-secrets in namespace infisical.
  • Required keys: ENCRYPTION_KEY, AUTH_SECRET, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, REDIS_PASSWORD.
  • Optional keys: ROOT_ENCRYPTION_KEY.
  • Source of truth: manually created Kubernetes Secret from an out-of-band env file based on infisical-secrets.env.example.
  • Rotation trigger: operator-initiated rotation, incident response, or dependency credential rotation.
  • Recovery note: restore or recreate infisical-secrets before starting Infisical, Postgres, or Redis pods.

5. Access Protocols

Path URL or endpoint Audience Auth TLS terminates at
Internal infisical.infisical.svc.cluster.local:8080 Cluster workloads and diagnostics namespace access plus Infisical auth none internally
External https://infisical.mutana.fr Operators and future GitOps clients Infisical auth Traefik

Authelia forward auth is intentionally not placed in front of Infisical in this deployment so CLI, API, callback, and machine-identity flows remain direct.

6. Operations and Observability

  • Primary health indicators: Infisical Deployment ready, Postgres and Redis StatefulSets ready, PVCs bound, and /api/status returns HTTP 200.
  • Dashboards or alerts: shared cluster monitoring and ingress health.
  • Log locations: deploy/infisical, statefulset/infisical-postgres, and statefulset/infisical-redis.
  • Known failure modes: missing infisical-secrets, invalid URI-unsafe passwords, PVC provisioning failure, database startup delay, or IngressRoute/TLS routing issue.

7. Backup and Recovery Notes

  • Backup method: snapshot Postgres and Redis PVCs plus preserve infisical-secrets.
  • Restore prerequisites: restored PVC data, matching Secret values, local-path availability, and Traefik route.
  • Backup gap: a tested restore drill for Infisical has not been completed yet.
  • Related runbook: ../runbooks/infisical.md

8. Release and Change Notes

  • Current deployed app version: infisical/infisical:v0.161.10.
  • Current chart version: N/A.
  • Last significant change: initial standalone local deployment with Postgres, Redis, Traefik exposure, manual Secret contract, and no operator.
  • Rollback reference: remove or revert the infisical/ Fleet path and workload manifests; preserve PVC snapshots and Secret values for recovery.