Infisical
Scope
Infisical was the previous secret backend, now superseded by HashiCorp Vault (tazlab-secrets-vault). Retained as a legacy fallback for external consumers (TazPod, setup scripts) and decommission tracked in 20-infisical-decommission.
Current Status
- All cluster ExternalSecrets → migrated to
tazlab-secrets-vault(HashiCorp Vault) ✅ tazlab-secretsstore → still deployed by Terraform engine layer (empty credentials, no cluster consumers)- External consumers (setup.sh, TazPod) → still use Infisical until decommission
- Bootstrap → no longer depends on Infisical (secrets read from
~/secrets/local files)
Decommission Timeline
Tracked in CRISP project 20-infisical-decommission. Prerequisites:
- ✅ All ExternalSecrets migrated to Vault
- ✅ Bootstrap chain Infisical-free
- ⏳
secrets-fetchermigrated to Vault (P6, chicken-egg problem) - ⏳ Confirm no external consumers still depend on Infisical
Relationships
- central to TazLab Secret And Identity Flow
- central to TazLab Infrastructure Tech Stack
- visible in TazLab K8s Configs
Source Basis
AGENTS.ctx/tazlab-k8s/CONTEXT.mdAGENTS.ctx/ephemeral-castle/CONTEXT.md