From aa5c8eeff8cd9079fdde148513cc81db0de51c8c Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Sat, 8 Nov 2025 05:11:27 +0400 Subject: [PATCH] docs(agent): credentials revocation --- docs/integrations/platforms/infisical-agent.mdx | 4 +++- docs/integrations/platforms/kubernetes-injector.mdx | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/integrations/platforms/infisical-agent.mdx b/docs/integrations/platforms/infisical-agent.mdx index a93bfcdf0a..43d322faac 100644 --- a/docs/integrations/platforms/infisical-agent.mdx +++ b/docs/integrations/platforms/infisical-agent.mdx @@ -48,6 +48,8 @@ While specifying an authentication method is mandatory to start the agent, confi | Field | Description | | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `infisical.address` | The URL of the Infisical service. Default: `"https://app.infisical.com"`. | +| `infisical.exit-after-auth` | Whether to exit the agent after authentication and first secret render. Default: `"false"`. | +| `infisical.revoke-credentials-on-shutdown` | Whether to revoke all managed dynamic secret leases and identity access tokens on shutdown. Default: `"false"`. | | `auth.type` | The type of authentication method used. Available options: `universal-auth`, `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, `aws-iam` | | `auth.config.identity-id` | The file path where the machine identity id is stored

This field is required when using any of the following auth types: `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, or `aws-iam`. | | `auth.config.service-account-token` | Path to the Kubernetes service account token to use (optional)

Default: `/var/run/secrets/kubernetes.io/serviceaccount/token` | @@ -58,7 +60,7 @@ While specifying an authentication method is mandatory to start the agent, confi | `sinks[].type` | The type of sink in a list of sinks. Each item specifies a sink type. Currently, only `"file"` type is available. | | `sinks[].config.path` | The file path where the access token should be stored for each sink in the list. | | `templates[].source-path` | The path to the template file that should be used to render secrets. | -| `templates[].template-content` | The inline secret template to be used for rendering the secrets. | +| `templates[].template-content` | The inline secret template to be used for rendering the secrets. | | `templates[].destination-path` | The path where the rendered secrets from the source template will be saved to. | | `templates[].config.polling-interval` | How frequently to check for secret changes. Default: `5 minutes` (optional) | | `templates[].config.execute.command` | The command to execute when secret change is detected (optional) | diff --git a/docs/integrations/platforms/kubernetes-injector.mdx b/docs/integrations/platforms/kubernetes-injector.mdx index c8fabbb345..06e1c2125f 100644 --- a/docs/integrations/platforms/kubernetes-injector.mdx +++ b/docs/integrations/platforms/kubernetes-injector.mdx @@ -145,6 +145,16 @@ The entire config needs to be of string format and needs to be assigned to the ` The address of your Infisical instance. This field is optional and will default to `https://app.infisical.com` if not provided. + + Whether to revoke all managed dynamic secret leases and identity access tokens on shutdown. Default: `"false"`. + + If this is set to `true`, all managed dynamic secret leases and identity access tokens will be revoked when the pod is deleted. + + + Note that this is currently unsupported on Windows-based pods, and will only work when injecting into Linux-based pods. + + + The authentication type to use to connect to Infisical. Currently only the `kubernetes` authentication type is supported. You can refer to our [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) documentation for more information on how to create a machine identity for Kubernetes Auth.