Infisical - keep your secrets private

Managing secrets and sensitive information in software development has always been an important task. Database credentials, API keys, tokens, SSH keys, you name it. Every month, we read about some data breach and that secrets from some company has been exposed. We all saw that image about budget before and after Cybersecurity breach, so security must be taken seriously.

There are a couple of tools which can manage your secrets, but in recent years, there was only one king on the throne, HashiCorp Vault. It is a mature product, with excellent integration with different tools and frameworks, like CI/CD (Jenkins, GitLab), container orchestration (Kubernetes, Docker swarm, Nomad), etc. However, Vault is quite resource-intensive, and it may not be suitable for smaller companies that seek simpler yet efficient tools to accomplish similar tasks.

Infisical is a serious contender for that throne. It is a lightweight app, which can be used in two ways: either self-hosted in your environment, or you can use it as a cloud app on https://app.infisical.com/signup. Both ways have their pros and cons.

Good thing with Infisical is that in their price model, they have a free tier (at least for now), and for smaller companies and startups, this tier can be enough. More details can be found here: https://infisical.com/pricing

Infisical UI is quick and intuitive. It organizes secrets into organizations, which can have multiple projects, and projects can have multiple environments where you can store secrets.

If you are using Kubernetes ( If not, please start :-) ), you can install Infisical using Helm chart, which is publicly available on their GitHub repository, or you can even sign up on the cloud.

When you open the project, you will see that there are three environments by default:

1. Development

2. Staging

3. Production

One thing I like about Infisical is that you can easily compare secret values for each environment.

By default, Infisical keeps keeping last 10 versions of the secret value, so you can easily revert changes, and you can also see who modified the secret value.

There are different ways to use Infisical, but I will speak about two:

1. Manage secrets for Kubernetes pods

2. Inifisical CLI for CI/CD pipelines

Infisical Kubernetes integration

To connect Infisical to our we need to use some Auth method in Infisical. We can do that in two ways:

1. https://infisical.com/docs/documentation/platform/identities/kubernetes-auth

2. https://infisical.com/docs/documentation/platform/identities/universal-auth

After we successfully connect Infisical with Kubernetes cluster using Infisical Operator, all we have to do is create InfisicalSecret object which will fetch secrets from specific project and specific environment and save them as a Kubernetes secret, which can then be attached to a dedicated pod.

apiVersion: secrets.infisical.com/v1alpha1

kind: InfisicalSecret

metadata:

  name: app-secret

  namespace: dev

spec:

  authentication:

    universalAuth:

      secretsScope:

        projectSlug: ebisoft-b13-r # <-- project slug

        envSlug: dev # "dev", "staging", "prod", etc..

        secretsPath: "/app1/" # Root is "/"

      credentialsRef:

        secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials

        secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials

  managedKubeSecretReferences:

    - secretName: app1-secret

      secretNamespace: dev

      creationPolicy: "Owner"

Infisical will, by default, sync every 30 seconds, and if you create new or modify existing secrets in Infisical, create a new Kubernetes secret with the latest changes. Creating a new secret will not apply those changes to existing pods, so you will need to restart pods to use the latest version of Kubernetes secret, which is not handy (imagine you have hundreds of pods :-0 ). Infisical has a solution for this problem. By adding an annotation to Kubernetes deployment object, you can force pod to restart automatically when there is a new version of Kubernetes secret.

apiVersion: apps/v1

kind: Deployment

metadata:

  namespace: dev

  name: app1

  annotations:

    secrets.infisical.com/auto-reload: "true

This option was really praised by the Dev team on my project, because every time they add or modify some secret, changes will be applied automatically. You will want to keep out this option for production environment, because sometimes even a simple environment variable change can break the app.

Infisical CLI

Second good use is Infisical CLI. You can create a Docker image with installed Infisical CLI and use that image to fetch secrets from Infisical. I this example, I used a lightweight base image, which is bare Alpine with bash, and its size is only 14.7 MB. In order to fetch secrets from Infisical, we need to authenticate from our Docker container, and then we can use infisical CLI to get secrets. First, we can create a service token for a specific project where we are setting the scope of that token.

This value will be set for env var: INFISICAL_TOKEN=<generated_service_token>

Second, we need to set INFISICAL_API_URL=https://eu.infisical.com/api

Third environment variable will be ID of the project from which we are fetching secrets:

INFISICAL_PROJECT_ID=<project_id>

After we set all three env vars, we can simply run infisical CLI command to fetch secrets and save them to a .env file, which can then be consumed by some apps or scripts:

infisical export --projectId=$INFISICAL_PROJECT_ID --path=/app1 --env=dev > dev.env

Infisical integrations

This was only a glimpse of what Infisical can do. Infisical is already a mature product that can be seriously considered as a secrets management tool in your company. Various integrations can fulfill different requests for your project, and as you read, even the free version can be a good starting point. Start securing your secrets, do let data breach ruin your business.