Infisical

Scope

Infisical was the previous secret backend, now superseded by HashiCorp Vault (tazlab-secrets-vault). Retained as a legacy fallback for external consumers (TazPod, setup scripts) and decommission tracked in 20-infisical-decommission.

Current Status

  • All cluster ExternalSecrets → migrated to tazlab-secrets-vault (HashiCorp Vault) ✅
  • tazlab-secrets store → still deployed by Terraform engine layer (empty credentials, no cluster consumers)
  • External consumers (setup.sh, TazPod) → still use Infisical until decommission
  • Bootstrap → no longer depends on Infisical (secrets read from ~/secrets/ local files)

Decommission Timeline

Tracked in CRISP project 20-infisical-decommission. Prerequisites:

  • ✅ All ExternalSecrets migrated to Vault
  • ✅ Bootstrap chain Infisical-free
  • secrets-fetcher migrated to Vault (P6, chicken-egg problem)
  • ⏳ Confirm no external consumers still depend on Infisical

Relationships

Source Basis

  • AGENTS.ctx/tazlab-k8s/CONTEXT.md
  • AGENTS.ctx/ephemeral-castle/CONTEXT.md