Infisical Open Source SecretOps: Apply it using GitOps approach.

In this article we will describe how to set up Infisical in AKS using ArgoCD and Helm and how to integrate with an application using kustomize.

Infisical just unlocked a big challenge in GitOps by providing a CRD ( Custom Resource Definition ) that pulls secrets stored and centralized and managed within one easy and clear dashboard , and make it easy to use in kustomize/helm templates in order to keep secret rotation smooth , simple and secure.

Prerequisites.

Git
GitHub repository
Kubernetes cluster with ArgoCD installed
Infisical Helm chart
Your own repository
kustomize

First we need to fork the repository in order to easily update helm chart values.

Then once we forked the repository we can go to helm chart and update values.yaml with our own parameters .

To be able to access the frontend of Infisical , Ingress should be activated.

##Update the ingress parameters inside infisical/helm-charts/infisical/values.yaml


ingress:
  ## @param ingress.enabled Enable ingress
  ##
  enabled: true
  ## @param ingress.ingressClassName Ingress class name
  ##
  ingressClassName: nginx
  ## @param ingress.nginx.enabled Ingress controller
  ##
  nginx:
    enabled: false
  ## @param ingress.annotations Ingress annotations
  ##
  annotations:
    {}
    # kubernetes.io/ingress.class: "nginx"
    # cert-manager.io/issuer: letsencrypt-nginx
  ## @param ingress.hostName Ingress hostname (your custom domain name, e.g. `infisical.example.org`)
  ## Replace with your own domain
  ##
  hostName: "infisical.yourdomain.com"

In order to use email authentication service we need to configure the SMTP from values.yaml file.

You can find here the different email providers and how to configure https://infisical.com/docs/self-hosting/configuration/email

## Update the ingress parameters inside infisical/helm-charts/infisical/values.yaml

  SMTP_HOST: smtp.office365.com
  SMTP_USERNAME: username@yourdomain.com # your username
  SMTP_PASSWORD: password # your password
  SMTP_PORT: 587
  SMTP_SECURE: true
  SMTP_FROM_ADDRESS: username@yourdomain.com
  SMTP_FROM_NAME: Infisical
  ## @param backendEnvironmentVariables.SITE_URL Absolute URL including the protocol (e.g. https://app.infisical.com)
  ##
  SITE_URL: infisical.local
  ## @param backendEnvironmentVariables.INVITE_ONLY_SIGNUP To disable account creation from the login page (invites only)
  ##
  INVITE_ONLY_SIGNUP: false

Now , create a “tooling” folder in your repository where you can install all your tools.

Make sure your tooling folder respects the helm chart standards.

.
└── automatic
    ├── Chart.yaml
    ├── templates
    │   └── Infisical
    │       ├── infisical.yaml   #argocd application manifest
    │       └── secrets-operator.yaml  #argocd application manifest
    └── values.yaml

We have to add 2 manifests here “infisical.yaml” and “secrets-operator.yaml” and then update values.yaml.

#infisical.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: infisical
  namespace: argocd
spec:
  destination:
    namespace: infisical
    server:  {{ .Values.spec.destination.server }}
  project: default
  source:
    path: helm-charts/infisical   #infisical deployment 
    repoURL: https://github.com/HasseneFliss/infisical.git   #add your infisical repository url
    targetRevision: HEAD

#secrets-operator.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: infisical-secret-operator
  namespace: argocd
spec:
  destination:
    namespace: infisical
    server:  {{ .Values.spec.destination.server }}
  project: default
  source:
    path: helm-charts/secrets-operator #secret operator deployment
    repoURL: https://github.com/HasseneFliss/infisical.git  #add your infisical repository url
    targetRevision: HEAD

#values.yaml

spec:
  destination:
    server: https://kubernetes.default.svc  #add your targeted cluster (here is local cluster)

Now Let’s go to ArgoCD and create a central tooling deployment project ( Don’t forget to add your repository in ArgoCD, You can refer to this link for that https://argo-cd.readthedocs.io/en/stable/user-guide/private-repositories/).

Once set up , you will see that infiscal and its secret operator have been added.

Now if we check both of them we should get the below kubernetes objects created.

To make sure that your pod is running perfectly and SMTP is perfectly configured , in infisical ArgoCD project , your backend pod log suppose to have logs like shown below.

Now that we have everything working perfectly , let’s login.

Hit your ingress url and create an adminstrator account for theby clicking the “Continue with Email” .

If you don’t have an account , click on “create an account”.

Enter your email id and click the “Get Started” option and email with security code will be send to you.
Fill the security code and click on “Verify”.

Enter the details accordingly and click “Sign Up” option

Once you sign up, you will need to download “Emergency Kit” and save it somewhere safe. If you get locked out of your account, we can use this emergency kit to unlock it

Now we are redirected to the homepage of Infisical

Configuration

Create a new project by clicking the “Add New Project” and name your project “MyApp”.

Once you created the project , you will get an interface like below. We can see different environments like Development, Staging and Production.
We are going to add the secrets in the Development environment by clicking the “Go to Development” option.

Infisical offers the possibility of copying secrets from other environments and upload env files .
We can also create a secret by clicking the “Add a new secret” option.

Add the required secrets and save the changes

Secrets Operator Setup

First, we need to generate a Service Token from our project settings

Select the “Create token” option and enter a name for the service token.
Select the environment, secrets path, expiration and permissions according to your use case and click on “Create” option

Once the service token is created, copy and save it somewhere safe. We need this token to configure the secrets operator

We need to create now a Kubernetes secret containing the Service Token.

  $ kubectl -n infisical-demo create secret generic infisical-secret --from-literal=infisicalToken=ADD YOUR TOKEN HERE 
  secret/infisical-secret created

Application template using Kustomize

We need to deploy a sample Nginx application using the below manifest file in order to use the created secret.
The annotation secrets.infisical.com/auto-reload: "true" ensures that it automatically redeploys when managed secrets are changed.
For this we will use the GitOps approach using Kustomize.
First we need to create a Kustomize repository where we will have our manifests ( We don’t need to create the svc.yaml and ingress.yaml and other objects as our goal is to use Infisical only here ).

Let’s start with the Base

# crd-infisical.yaml


  apiVersion: secrets.infisical.com/v1alpha1
  kind: InfisicalSecret
  metadata:
    name: infisical-demo
    namespace: infisical-demo
  spec:
    hostAPI: http://infisical-backend.infisical.svc.cluster.local:4000/api
    resyncInterval: 10
    authentication:
      serviceToken:
        serviceTokenSecretReference:
          secretName: infisical-secret         #Secret that has our token
          secretNamespace: infisical-demo
        secretsScope:
          envSlug: dev
          secretsPath: "/"
    managedSecretReference:
      secretName: infisical-ui-managed-secret   #Secret that will be generated 
      secretNamespace: infisical-demo

# deployment.yaml


  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: myapp
    namespace: infisical-demo
    labels:
      app: myapp
    annotations: 
      secrets.infisical.com/auto-reload: "true"
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: maypp
    template:
      metadata:
        labels:
          app: myapp
      spec:
        containers:
        - name: myapp
          image:  < ADD YOUR IMAGE HERE >
          envFrom:
          - secretRef:
              name: infisical-ui-managed-secret   ##Secret that will be generated
          ports:
          - containerPort: 80

#namespace.yaml

apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: infisical-demo
    annotations:
      argocd.argoproj.io/sync-wave: "-1"
  name: infisical-demo
#Kustomization


apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
  
resources:
    - deployment.yaml
    - namespace.yaml
    - crd-infisical.yaml

generatorOptions:
 disableNameSuffixHash: true

Let’s move to overlay/dev folder now.

#deployment-patch.yaml


- op: replace
  path: /spec/template/spec/containers/0/image
  value: nginx


- op: add 
  path: /spec/revisionHistoryLimit
  value: 2

#kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
  
resources:
- ../../base

  
patches:

- path: ./patches/deployment-patch.yaml
  target:
    kind: Deployment
    version: v1


images:
- name: nginx
  newTag: 1.25.2

Application deployment using ArgoCD

Create your ArgoCD project and point it to ( Do not forget to import your repository to ArgoCD )
You can use my repository as reference https://github.com/HasseneFliss/demo-infisical.git

We can see that “infisical-demo” CRD has been created.
To make sure if the secret pulling is done successfully , we can check the live manifest of “infisical-demo”.