infisical
| Field |
Value |
| Service |
infisical |
| Purpose |
Self-hosted secret-management control plane for future GitOps secret workflows |
| Criticality |
Tier 1 |
| Owner |
Platform / Security owner |
| Clusters |
local |
| Namespace |
infisical |
| Exposure |
internet |
| Stateful |
yes |
| Backup class |
snapshot |
| RPO / RTO |
Daily backup target, 2 to 4 hours to restore after the backup path is validated |
| Last reviewed |
2026-06-30 |
1. Service Overview
Infisical provides a central place to store and manage secrets that will later feed GitOps workflows. This first deployment only brings up the standalone service and its in-cluster Postgres and Redis dependencies; it does not migrate existing repository secrets or install a secret-sync operator.
Summary
If Infisical is unavailable, operators cannot use it for new secret-management workflows. Existing services continue using their current secret sources until a separate migration is planned.
Dependencies
| Dependency |
Type |
Why it matters |
| Traefik |
ingress |
External HTTPS access to the UI and API |
| Postgres |
database |
Persistent Infisical application state |
| Redis |
cache/session |
Runtime cache and queue dependency |
| local-path |
storage |
PVC provisioning for the standalone local deployment |
2. Architecture Diagram
[Operator / CLI / API client]
-> [Traefik]
-> [Infisical Deployment]
-> [infisical-postgres PVC]
-> [infisical-redis PVC]
3. Deployment Specifications
| Item |
Value |
| Source path |
infisical/base and infisical/overlays/local |
| Deployment model |
Kustomize plus Fleet bundle |
| Namespace |
infisical |
| Workload kind |
Deployment plus Postgres and Redis StatefulSets |
| Images |
infisical/infisical:v0.161.10, postgres:16.14-alpine, redis:7.4.9-alpine |
| Storage |
local-path, Postgres 8Gi, Redis 1Gi |
| Probes |
Infisical GET /api/status, Postgres pg_isready, Redis redis-cli ping |
| RBAC |
No dedicated RBAC; ServiceAccount token automount disabled |
| Config files |
base/kustomization.yaml, overlays/local/kustomization.yaml, fleet.yaml |
Cluster mapping
| Cluster |
Overlay path |
Notes |
| local |
infisical/overlays/local |
Current standalone deployment |
4. Configuration Guide
Environment variables
| Variable |
Source |
Purpose |
Secret? |
SITE_URL |
ConfigMap infisical-config |
Public URL for callbacks and generated links |
no |
NODE_ENV |
ConfigMap infisical-config |
Production runtime mode |
no |
ENCRYPTION_KEY |
Secret infisical-secrets |
256-bit base64-encoded AES-256-GCM key for KMS encryption. Generate with openssl rand -base64 32 |
yes |
ROOT_ENCRYPTION_KEY |
Secret infisical-secrets |
Optional dedicated 256-bit base64 KMS root key; takes precedence over ENCRYPTION_KEY for KMS when set |
yes |
AUTH_SECRET |
Secret infisical-secrets |
JWT and auth signing secret |
yes |
POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB |
Secret infisical-secrets |
Postgres bootstrap and app connection values |
yes |
REDIS_PASSWORD |
Secret infisical-secrets |
Redis authentication |
yes |
DB_CONNECTION_URI, REDIS_URL |
Deployment env expansion |
Runtime dependency connection strings |
yes |
Because DB_CONNECTION_URI and REDIS_URL are assembled by Kubernetes environment-variable expansion, choose URI-safe Postgres and Redis passwords or plan a follow-up that stores pre-encoded connection strings in the Secret.
ConfigMaps
| Resource |
Path |
Purpose |
infisical-config |
infisical/overlays/local/infisical-configmap.yaml |
Non-secret runtime URL and mode |
Secrets management
- Secret name:
infisical-secrets in namespace infisical.
- Required keys:
ENCRYPTION_KEY, AUTH_SECRET, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, REDIS_PASSWORD.
- Optional keys:
ROOT_ENCRYPTION_KEY.
- Source of truth: manually created Kubernetes Secret from an out-of-band env file based on
infisical-secrets.env.example.
- Rotation trigger: operator-initiated rotation, incident response, or dependency credential rotation.
- Recovery note: restore or recreate
infisical-secrets before starting Infisical, Postgres, or Redis pods.
5. Access Protocols
| Path |
URL or endpoint |
Audience |
Auth |
TLS terminates at |
| Internal |
infisical.infisical.svc.cluster.local:8080 |
Cluster workloads and diagnostics |
namespace access plus Infisical auth |
none internally |
| External |
https://infisical.mutana.fr |
Operators and future GitOps clients |
Infisical auth |
Traefik |
Authelia forward auth is intentionally not placed in front of Infisical in this deployment so CLI, API, callback, and machine-identity flows remain direct.
6. Operations and Observability
- Primary health indicators: Infisical Deployment ready, Postgres and Redis StatefulSets ready, PVCs bound, and
/api/status returns HTTP 200.
- Dashboards or alerts: shared cluster monitoring and ingress health.
- Log locations:
deploy/infisical, statefulset/infisical-postgres, and statefulset/infisical-redis.
- Known failure modes: missing
infisical-secrets, invalid URI-unsafe passwords, PVC provisioning failure, database startup delay, or IngressRoute/TLS routing issue.
7. Backup and Recovery Notes
- Backup method: snapshot Postgres and Redis PVCs plus preserve
infisical-secrets.
- Restore prerequisites: restored PVC data, matching Secret values,
local-path availability, and Traefik route.
- Backup gap: a tested restore drill for Infisical has not been completed yet.
- Related runbook: ../runbooks/infisical.md
8. Release and Change Notes
- Current deployed app version:
infisical/infisical:v0.161.10.
- Current chart version: N/A.
- Last significant change: initial standalone local deployment with Postgres, Redis, Traefik exposure, manual Secret contract, and no operator.
- Rollback reference: remove or revert the
infisical/ Fleet path and workload manifests; preserve PVC snapshots and Secret values for recovery.