Merge pull request #3631 from Infisical/daniel/password-resets-fix

fix(password-resets): allow password resets when users don't have a password set

backend/src/ee/services/hsm/hsm-fns.ts

@@ -24,9 +24,13 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured
       isInitialized = true;
 
       logger.info("PKCS#11 module initialized");
-    } catch (err) {
-      logger.error(err, "Failed to initialize PKCS#11 module");
-      throw err;
+    } catch (error) {
+      if (error instanceof pkcs11js.Pkcs11Error && error.code === pkcs11js.CKR_CRYPTOKI_ALREADY_INITIALIZED) {
+        logger.info("Skipping HSM initialization because it's already initialized.");
+      } else {
+        logger.error(error, "Failed to initialize PKCS#11 module");
+        throw error;
+      }
     }
   };
 

backend/src/services/auth/auth-password-service.ts

@@ -189,16 +189,15 @@ export const authPaswordServiceFactory = ({
       throw new BadRequestError({ message: `User encryption key not found for user with ID '${userId}'` });
     }
 
-    if (!user.hashedPassword) {
-      throw new BadRequestError({ message: "Unable to reset password, no password is set" });
-    }
-
     if (!user.authMethods?.includes(AuthMethod.EMAIL)) {
       throw new BadRequestError({ message: "Unable to reset password, no email authentication method is configured" });
     }
 
     // we check the old password if the user is resetting their password while logged in
     if (type === ResetPasswordV2Type.LoggedInReset) {
+      if (!user.hashedPassword) {
+        throw new BadRequestError({ message: "Unable to change password, no password is set" });
+      }
       if (!oldPassword) {
         throw new BadRequestError({ message: "Current password is required." });
       }

docs/documentation/platform/kms/hsm-integration.mdx

@@ -38,7 +38,7 @@ Enabling HSM encryption has a set of key benefits:
 ### Requirements
 - An Infisical instance with a version number that is equal to or greater than `v0.91.0`.
 - If you are using Docker, your instance must be using the `infisical/infisical-fips` image.
-- An HSM device from a provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), or others.
+- An HSM device from a provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), [Fortanix HSM](https://www.fortanix.com/platform/data-security-manager), or others.
 
 
 ### FIPS Compliance
@@ -53,14 +53,14 @@ For organizations that work with US government agencies, FIPS compliance is almo
 
 <Steps>
     <Step title="Setting up an HSM Device">
-        To set up HSM encryption, you need to configure an HSM provider and HSM key. The HSM provider is used to connect to the HSM device, and the HSM key is used to encrypt Infisical's KMS keys. We recommend using a Cloud HSM provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm) or [AWS CloudHSM](https://aws.amazon.com/cloudhsm/).
+        To set up HSM encryption, you need to configure an HSM provider and HSM key. The HSM provider is used to connect to the HSM device, and the HSM key is used to encrypt Infisical's KMS keys. We recommend using a Cloud HSM provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), or [Fortanix HSM](https://www.fortanix.com/platform/data-security-manager).
 
         You need to follow the instructions provided by the HSM provider to set up the HSM device. Once the HSM device is set up, the HSM device can be used within Infisical.
 
         After setting up the HSM from your provider, you will have a set of files that you can use to access the HSM. These files need to be present on the machine where Infisical is running.
         If you are using containers, you will need to mount the folder where these files are stored as a volume in the container.
 
-        The setup process for an HSM device varies depending on the provider. We have created a guide for Thales Luna Cloud HSM, which you can find below.
+        The setup process for an HSM device varies depending on the provider. We have created guides for Thales Luna Cloud HSM and Fortanix HSM, which you can find below.
         
     </Step>
     <Step title="Configure HSM on Infisical">
@@ -255,6 +255,78 @@ For organizations that work with US government agencies, FIPS compliance is almo
         </Steps>
         After following these steps, your Docker setup will be ready to use HSM encryption.
       </Tab>
+      <Tab title="Fortanix HSM">
+        <Steps>
+          <Step title="Set up Fortanix HSM">
+            To use Fortanix HSM with Infisical, you need to:
+            
+            1. Create an App in Fortanix:
+               - Set Interface value to be PKCS#11
+               - Select API key as authentication method
+               - Assign app to a group
+            
+              ![Fortanix HSM Setup](/images/platform/kms/hsm/fortanix-hsm-setup.png)
+
+            2. Take note of the domain (e.g., apac.smartkey.io). You will need this to set up the configuration file for the Fortanix client.
+          </Step>
+          
+          <Step title="Install PKCS11 Library">
+            The easiest approach would be to download the `.so` file for Linux directly from the [Fortanix PKCS#11 installation page](https://fortanix.zendesk.com/hc/en-us/sections/4408769080724-PKCS-11).
+            
+            Create a configuration file named `pkcs11.conf` with the following content:
+            
+            ```
+            api_endpoint = "https://apac.smartkey.io"
+            prevent_duplicate_opaque_objects = true
+            retry_timeout_millis = 60000
+            ```
+            
+            Note: Replace `apac.smartkey.io` with your actual Fortanix domain if different. For more details about the configuration file format and additional options, refer to the [Fortanix PKCS#11 Configuration File Documentation](https://support.fortanix.com/docs/clients-pkcs11-library#511-configuration-file-format).
+          </Step>
+          
+          <Step title="Create a directory for Fortanix files">
+            Create a directory to store the Fortanix library and configuration file:
+            
+            ```bash
+            mkdir -p /etc/fortanix-hsm
+            ```
+            
+            Copy the downloaded `.so` file and the `pkcs11.conf` file to this directory:
+            
+            ```bash
+            cp /path/to/fortanix_pkcs11_4.37.2554.so /etc/fortanix-hsm/
+            cp /path/to/pkcs11.conf /etc/fortanix-hsm/
+            ```
+          </Step>
+          
+          <Step title="Run Docker">
+            Run Docker with Fortanix HSM by mounting the directory and setting the required environment variables:
+            
+            ```bash
+            docker run -p 80:8080 \
+              -v /etc/fortanix-hsm:/etc/fortanix-hsm \
+              -e HSM_LIB_PATH="/etc/fortanix-hsm/fortanix_pkcs11_4.37.2554.so" \  # Path to the PKCS#11 library
+              -e HSM_PIN="MDE3YWUxO..." \  # Your Fortanix app API key used for authentication
+              -e HSM_SLOT=0 \              # Slot value (arbitrary for Fortanix HSM)
+              -e HSM_KEY_LABEL="hsm-key-label" \  # Label to identify the encryption key in the HSM
+              -e FORTANIX_PKCS11_CONFIG_PATH="/etc/fortanix-hsm/pkcs11.conf" \  # Path to Fortanix configuration file
+              
+              # The rest are unrelated to HSM setup...
+              -e ENCRYPTION_KEY="<>" \
+              -e AUTH_SECRET="<>" \
+              -e DB_CONNECTION_URI="<>" \
+              -e REDIS_URL="<>" \
+              -e SITE_URL="<>" \
+              infisical/infisical-fips:<version> # Replace <version> with the version you want to use
+            ```
+            
+            <Warning>
+              Note: Fortanix HSM integration only works for AMD64 CPU architectures.
+            </Warning>
+          </Step>
+        </Steps>
+        After following these steps, your Docker setup will be ready to use Fortanix HSM encryption.
+      </Tab>
     </Tabs>
   </Tab>
   <Tab title="Kubernetes">
@@ -569,6 +641,173 @@ For organizations that work with US government agencies, FIPS compliance is almo
         </Steps>
         After following these steps, your Kubernetes setup will be ready to use HSM encryption.
       </Tab>
+      <Tab title="Fortanix HSM">
+        <Steps>
+          <Step title="Set up Fortanix HSM">
+            First, you need to set up Fortanix HSM by:
+            
+            1. Creating an App in Fortanix:
+               - Set Interface value to be PKCS#11
+               - Select API key as authentication method
+               - Assign app to a group
+
+              ![Fortanix HSM Setup](/images/platform/kms/hsm/fortanix-hsm-setup.png)
+
+            2. Take note of the domain (e.g., apac.smartkey.io). You will need this when setting up the configuration file.
+          </Step>
+          
+          <Step title="Create configuration files">
+            Create a directory to store the Fortanix configuration files:
+            
+            ```bash
+            mkdir -p /etc/fortanix-hsm
+            ```
+            
+            Download the Fortanix PKCS#11 library for Linux from the [Fortanix PKCS#11 installation page](https://fortanix.zendesk.com/hc/en-us/sections/4408769080724-PKCS-11).
+            
+            Create a configuration file named `pkcs11.conf` with the following content:
+            
+            ```
+            api_endpoint = "https://apac.smartkey.io"
+            prevent_duplicate_opaque_objects = true
+            retry_timeout_millis = 60000
+            ```
+            
+            Note: Replace `apac.smartkey.io` with your actual Fortanix domain if different.
+          </Step>
+          
+          <Step title="Creating a Persistent Volume Claim (PVC)">
+            Create a Persistent Volume Claim to store the Fortanix files:
+            
+            ```bash
+            kubectl apply -f - <<EOF
+            apiVersion: v1
+            kind: PersistentVolumeClaim
+            metadata:
+              name: fortanix-hsm-pvc
+            spec:
+              accessModes:
+                - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 100Mi
+            EOF
+            ```
+            
+            Create a temporary pod to upload the files:
+            
+            ```bash
+            kubectl apply -f - <<EOF
+            apiVersion: v1
+            kind: Pod
+            metadata:
+              name: fortanix-setup-pod
+            spec:
+              containers:
+              - name: setup
+                image: busybox
+                command: ["/bin/sh", "-c", "sleep 3600"]
+                volumeMounts:
+                - name: fortanix-data
+                  mountPath: /data
+              volumes:
+              - name: fortanix-data
+                persistentVolumeClaim:
+                  claimName: fortanix-hsm-pvc
+            EOF
+            ```
+            
+            Ensure the pod is running:
+            
+            ```bash
+            kubectl wait --for=condition=Ready pod/fortanix-setup-pod --timeout=60s
+            ```
+            
+            Copy the Fortanix files to the PVC:
+            
+            ```bash
+            kubectl exec fortanix-setup-pod -- mkdir -p /data/
+            kubectl cp /etc/fortanix-hsm/fortanix_pkcs11_4.37.2554.so fortanix-setup-pod:/data/
+            kubectl cp /etc/fortanix-hsm/pkcs11.conf fortanix-setup-pod:/data/
+            kubectl exec fortanix-setup-pod -- chmod -R 755 /data/
+            ```
+            
+            Delete the temporary pod:
+            
+            ```bash
+            kubectl delete pod fortanix-setup-pod
+            ```
+          </Step>
+          
+          <Step title="Update the Kubernetes Secret">
+            Update your Kubernetes secret with the Fortanix HSM environment variables:
+            
+            ```yaml
+            apiVersion: v1
+            kind: Secret
+            metadata:
+              name: infisical-secrets
+            type: Opaque
+            stringData:
+              # ... Other environment variables ...
+              HSM_LIB_PATH: "/etc/fortanix-hsm/fortanix_pkcs11_4.37.2554.so"  # Path to the PKCS#11 library in the container
+              HSM_PIN: "<your-fortanix-api-key>"  # Your Fortanix app API key used for authentication
+              HSM_SLOT: "0"            # Slot value (can be set to 0 for Fortanix HSM as it's arbitrary)
+              HSM_KEY_LABEL: "hsm-key-label"  # Label to identify the encryption key in the HSM
+              FORTANIX_PKCS11_CONFIG_PATH: "/etc/fortanix-hsm/pkcs11.conf"  # Path to Fortanix configuration file
+            ```
+            
+            Apply the updated secret:
+            
+            ```bash
+            kubectl apply -f ./secret-file-name.yaml
+            ```
+          </Step>
+          
+          <Step title="Update Helm Values">
+            Update your Helm values to use the FIPS-compliant image and mount the Fortanix HSM files:
+            
+            ```yaml
+            # ... The rest of the values.yaml file ...
+            
+            image:
+              repository: infisical/infisical-fips  # Must use "infisical/infisical-fips"
+              tag: "v0.117.1-postgres"
+              pullPolicy: IfNotPresent
+            
+            extraVolumeMounts:
+              - name: fortanix-data
+                mountPath: /etc/fortanix-hsm  # The path where Fortanix files will be available
+            
+            extraVolumes:
+              - name: fortanix-data
+                persistentVolumeClaim:
+                  claimName: fortanix-hsm-pvc
+            
+            # ... The rest of the values.yaml file ...
+            ```
+            
+            <Warning>
+              Note: Fortanix HSM integration only works for AMD64 CPU architectures.
+            </Warning>
+          </Step>
+          
+          <Step title="Upgrade and Restart">
+            Upgrade the Helm chart with the new values:
+            
+            ```bash
+            helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
+            ```
+            
+            Restart the deployment:
+            
+            ```bash
+            kubectl rollout restart deployment/infisical-infisical
+            ```
+          </Step>
+        </Steps>
+        After following these steps, your Kubernetes setup will be ready to use Fortanix HSM encryption.
+      </Tab>
     </Tabs>
   </Tab>
 </Tabs>

docs/integrations/platforms/kubernetes-csi.mdx

@@ -1,6 +1,6 @@
 ---
 title: "Kubernetes CSI"
-description: "How to use Infisical to inject secrets directly into Kubernetes pods."
+description: "How to use the Infisical Kubernetes CSI provider to inject secrets directly into Kubernetes pods."
 ---
 
 ## Overview
@@ -15,9 +15,9 @@ flowchart LR
         CSP --> CSD(Secrets Store CSI Driver)
     end
 
-    subgraph Application
+    subgraph Pod
         CSD --> V(Volume)
-        V <--> P(Pod)
+        V <--> P(Application)
     end
 
 ```

docs/integrations/platforms/kubernetes-injector.mdx

@@ -0,0 +1,317 @@
+---
+title: "Kubernetes Agent Injector"
+description: "How to use the Infisical Kubernetes Agent Injector to inject secrets directly into Kubernetes pods."
+---
+
+## Overview
+
+The Infisical Kubernetes Agent Injector allows you to inject secrets directly into your Kubernetes pods. The Injector will create a [Infisical Agent](/integrations/platforms/infisical-agent) container within your pod that syncs secrets from Infisical into a shared volume mount within your pod.
+
+
+The Infisical Agent Injector will patch and modify your pod's deployment to contain an [Infisical Agent](/integrations/platforms/infisical-agent) container which renders your Infisical secrets into a shared volume mount within your pod.
+
+The Infisical Agent Injector is built on [Kubernetes Mutating Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers), and will watch for `CREATE` and `UPDATE` events on pods in your cluster.
+The injector is namespace-agnostic, and will watch for pods in any namespace, but will only patch pods that have the `org.infisical.com/inject` annotation set to `true`.
+
+
+```mermaid
+flowchart LR
+    subgraph Secrets Management
+        SS(Infisical) --> INJ(Infisical Injector)
+    end
+
+    subgraph Pod
+        INJ --> INIT(Agent Init Container)
+        INIT --> V(Volume)
+        V <--> P(Application)
+    end
+    
+```
+
+## Install the Infisical Agent Injector
+
+To install the Infisical Agent Injector, you will need to install our helm charts using [Helm](https://helm.sh/).
+
+```bash
+helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+helm repo update
+helm install --generate-name infisical-helm-charts/infisical-agent-injector
+```
+
+After installing the helm chart you can verify that the injector is running and working as intended by checking the logs of the injector pod.
+```bash
+$ kubectl logs deployment/infisical-agent-injector 
+2025/05/19 14:20:05 Starting infisical-agent-injector...
+2025/05/19 14:20:05 Generating self-signed certificate...
+2025/05/19 14:20:06 Creating directory: /tmp/tls
+2025/05/19 14:20:06 Writing cert to: /tmp/tls/tls.crt
+2025/05/19 14:20:06 Writing key to: /tmp/tls/tls.key
+2025/05/19 14:20:06 Starting HTTPS server on port 8585...
+2025/05/19 14:20:06 Attempting to update webhook config (attempt 1)...
+2025/05/19 14:20:06 Successfully updated webhook configuration with CA bundle
+```
+
+## Supported annotations
+
+The Infisical Agent Injector supports the following annotations:
+
+<Accordion title="org.infisical.com/inject">
+  The inject annotation is used to enable the injector on a pod. Set the value to `true` and the pod will be patched with an Infisical Agent container on update or create.
+</Accordion>
+<Accordion title="org.infisical.com/inject-mode">
+  The inject mode annotation is used to specify the mode to use to inject the secrets into the pod. Currently only `init` mode is supported.
+
+  - `init`: The init method will create an init container for the pod that will render the secrets into a shared volume mount within the pod. The agent init container will run before any other containers in the pod runs, including other init containers.
+</Accordion>
+<Accordion title="org.infisical.com/agent-config-map">
+  The agent config map annotation is used to specify the name of the config map that contains the configuration for the injector. The config map must be in the same namespace as the pod.
+</Accordion>
+
+## ConfigMap Configuration
+
+### Supported Fields
+
+When you are configuring a pod to use the injector, you must create a config map in the same namespace as the pod you want to inject secrets into.
+The entire config needs to be of string format and needs to be assigned to the `config.yaml` key in the config map. You can find a full example of the config at the end of this section.
+
+<Accordion title="infisical.address">
+  The address of your Infisical instance. This field is optional and will default to `https://app.infisical.com` if not provided.
+</Accordion>
+
+<Accordion title="infisical.auth.type">
+  The authentication type to use to connect to Infisical. Currently only the `kubernetes` authentication type is supported.
+  You can refer to our [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) documentation for more information on how to create a machine identity for Kubernetes Auth.
+  Please note that the pod's default service account will be used to authenticate with Infisical.
+</Accordion>
+
+<Accordion title="infisical.auth.config.identity-id">
+  The ID of the machine identity to use to connect to Infisical. This field is required if the `infisical.auth.type` is set to `kubernetes`.
+</Accordion>
+
+<Accordion title="templates[]">
+The templates hold an array of templates that will be rendered and injected into the pod.
+</Accordion>
+
+<Accordion title="templates[].destination-path">
+  The path to inject the secrets into within the pod.
+  If not specified, this will default to `/shared/infisical-secrets`. If you have multiple templates and don't provide a destination path, the destination paths will default to `/shared/infisical-secrets-1`, `/shared/infisical-secrets-2`, etc.
+</Accordion>
+
+<Accordion title="templates[].template-content">
+  The content of the template to render.
+  This will be rendered as a [Go Template](https://pkg.go.dev/text/template) and will have access to the following variables.
+  It follows the templating format and supports the same functions as the [Infisical Agent](/integrations/platforms/infisical-agent#quick-start-infisical-agent)
+</Accordion>
+
+
+### Authentication
+The Infisical Agent Injector only supports Machine Identity [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) authentication at the moment.
+
+To configure Kubernetes Auth, you need to set the `auth.type` field to `kubernetes` and set the `auth.config.identity-id` to the ID of the machine identity you wish to use for authentication.
+
+```yaml
+auth:
+  type: "kubernetes"
+  config:
+    identity-id: "<your-infisical-machine-identity-id>"
+```
+
+### Example ConfigMap
+```yaml config-map.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: demo-config-map
+data:
+  config.yaml: |
+    infisical:
+      address: "https://app.infisical.com"
+      auth:
+        type: "kubernetes"
+        config:
+          identity-id: "<your-infisical-machine-identity-id>"
+    templates:
+      - destination-path: "/path/to/save/secrets/file.txt"
+        template-content: |
+          {{- with secret "<your-project-id>" "dev" "/" }}
+          {{- range . }}
+          {{ .Key }}={{ .Value }}
+          {{- end }}
+          {{- end }}
+```
+
+```bash
+kubectl apply -f config-map.yaml
+```
+
+To use the config map in your pod, you will need to add the `org.infisical.com/agent-config-map` annotation to your pod's deployment. The value of the annotation is the name of the config map you created above.
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: demo
+  labels:
+    app: demo
+  annotations:
+    org.infisical.com/inject: "true" # Set to true for the injector to patch the pod on create/update events
+    org.infisical.com/inject-mode: "init" # The mode to use to inject the secrets into the pod. Currently only `init` mode is supported.
+    org.infisical.com/agent-config-map: "name-of-config-map" # The name of the config map that you created above, which contains all the settings for injecting the secrets into the pod
+spec:
+  # ...
+```
+
+
+## Quick Start
+In this section we'll walk through a full example of how to inject secrets into a pod using the Infisical Agent Injector.
+In this example we'll create a basic nginx deployment and print a Infisical secret called `API_KEY` to the container logs.
+
+### Create secrets in Infisical
+First you'll need to create the secret in Infisical.
+
+- `API_KEY`: The API key to use for the nginx deployment.
+
+Once you've created the secret, save your project ID, environment slug, and secret path, as these will be used in the next step.
+
+### Configuration
+To use the injector you must create a config map in the same namespace as the pod you want to inject secrets into. In this example we'll create a config map in the `test-namespace` namespace.
+
+The agent injector will authenticate with Infisical using a [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) machine identity. Please follow the [instructions](/documentation/platform/identities/kubernetes-auth) to create a machine identity configured for Kubernetes Auth.
+The agent injector will use the service account token of the pod to authenticate with Infisical.
+
+The `template-content` will be rendered as a [Go Template](https://pkg.go.dev/text/template) and will have access to the following variables. It follows the templating format and supports the same functions as the [Infisical Agent](/integrations/platforms/infisical-agent#quick-start-infisical-agent)
+The `destination-path` refers to the path within the pod that the secrets will be injected into. In this case we're injecting the secrets into a file called `/infisical/secrets`.
+
+
+Replace the `<your-project-id>`, `<your-environment-slug>`, with your project ID and the environment slug of where you created your secrets in Infisical. Replace `<your-infisical-machine-identity-id>` with the ID of your machine identity configured for Kubernetes Auth.
+```yaml config-map.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-infisical-config-map
+  namespace: test-namespace
+data:
+  config.yaml: |
+    infisical:
+      address: "https://app.infisical.com"
+      auth:
+        type: "kubernetes"
+        config:
+          identity-id: "<your-infisical-machine-identity-id>"
+    templates:
+      - destination-path: "/infisical/secrets"
+        template-content: |
+          {{- with secret "<your-project-id>" "<your-environment-slug>" "/" }}
+          {{- range . }}
+          {{ .Key }}={{ .Value }}
+          {{- end }}
+          {{- end }}
+```
+
+Now apply the config map:
+```bash
+kubectl apply -f config-map.yaml
+```
+
+### Injecting secrets into your pod
+
+To inject secrets into your pod, you will need to add the `org.infisical.com/inject: "true"` annotation to your pod's deployment.
+
+The `org.infisical.com/agent-config-map` annotation will point to the config map we created in the previous step. It's important that the config map is in the same namespace as the pod.
+
+We are creating a nginx deployment with a PVC to store the database data.
+
+```yaml nginx.yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-pod
+  namespace: test-namespace
+  labels:
+    app: nginx
+  annotations:
+    org.infisical.com/inject: "true"
+    org.infisical.com/inject-mode: "init"
+    org.infisical.com/agent-config-map: "nginx-infisical-config-map"
+spec:
+  containers:
+    - name: simple-app-demo
+      image: nginx:alpine
+      command: ["/bin/sh", "-c"]
+      args:
+        - |
+          export $(cat /infisical/secrets | xargs)
+          echo "API_KEY is set to: $API_KEY"
+          nginx -g "daemon off;"
+```
+
+### Applying the deployment
+
+To apply the deployment, you can use the following command:
+
+```bash
+kubectl apply -f nginx.yaml
+```
+It may take a few minutes for the pod to be ready and for the Infisical secrets to be injected. You can check the status of the pod by running:
+
+```bash
+kubectl get pods -n test-namespace
+```
+
+### Verifying the secrets are injected
+
+To verify the secrets are injected, you can check the pod's logs:
+
+```bash
+$ kubectl exec -it pod/nginx-pod -n test-namespace -- cat /infisical/secrets
+
+Defaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)
+
+API_KEY=sk_api_... # The secret you created in Infisical
+```
+
+Additionally you can now check that the `API_KEY` secret is being logged to the nginx container logs:
+```bash
+$ kubectl logs pod/nginx-pod -n test-namespace                              
+Defaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)
+API_KEY is set to: sk_api_... # The secret you created in Infisical
+```
+
+
+## Troubleshooting
+
+
+<Accordion title="The pod is stuck in `Init` state">
+  If the pod is stuck in `Init` state, it means the Agent init container is failing to start or is stuck in a restart loop.
+  This could be due to a number of reasons, such as the machine identity not having the correct permissions, or trying to fetch secrets from a non-existent project/environment.
+  
+  You can check the logs of the infisical init container by running:
+  ```bash
+  # For deployments
+  kubectl logs deployment/your-deployment-name -c infisical-agent-init -n "<namespace>"
+
+  # For pods
+  kubectl logs pod/your-pod-name -c infisical-agent-init -n "<namespace>"
+  ```
+
+  You can also check the logs of the pod by running:
+  ```bash
+  kubectl logs deployment/postgres-deployment -n test-namespace
+  ```
+
+  When checking the logs of the agent init container, you may see something like the following:
+  ```bash
+  Starting infisical agent...
+  11:10AM INF starting Infisical agent...
+  11:10AM INF Infisical instance address set to https://daniel1.tunn.dev
+  11:10AM INF template engine started for template 1...
+  11:10AM INF attempting to authenticate...
+  11:10AM INF new access token saved to file at path '/home/infisical/config/identity-access-token'
+  11:10AM ERR unable to process template because template: literalTemplate:1:9: executing "literalTemplate" at <secret "3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111" "dev" "/">: error calling secret: CallGetRawSecretsV3: Unsuccessful response [GET https://daniel1.tunn.dev/api/v3/secrets/raw?environment=dev&expandSecretReferences=true&include_imports=true&secretPath=%2F&workspaceId=3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111] [status-code=404] [response={"reqId":"req-ljqNq567jchFrK","statusCode":404,"message":"Project with ID '3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111' not found during bot lookup. Are you sure you are using the correct project ID?","error":"NotFound"}]
+  + echo 'Agent failed with exit code 1'
+  + exit 1
+  Agent failed with exit code 1
+  ```
+
+  In the above error, the project ID was invalid in the config map.
+</Accordion>

docs/mint.json

@@ -441,6 +441,7 @@
                 "integrations/platforms/kubernetes/infisical-dynamic-secret-crd"
               ]
             },
+            "integrations/platforms/kubernetes-injector",
             "integrations/platforms/kubernetes-csi",
             "integrations/platforms/docker-swarm-with-agent",
             "integrations/platforms/ecs-with-agent"