I'm using InfisicalSecret to manage Kubernetes secrets in my cluster, and I'm organizing my secrets in nested folders such as /be/core/auth/DB_USER.
However, it's not entirely clear from the documentation how the Go template syntax should be used to reference deeply nested secrets. For example:
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: infisical-secret-auth
namespace: app
labels:
app: hsm-be-core-auth
spec:
hostAPI:
resyncInterval: 10
authentication:
kubernetesAuth:
identityId: ""
autoCreateServiceAccountToken: true
serviceAccountRef:
name: infisical-service-account
namespace: security
secretsScope:
projectSlug:
envSlug: dev
secretsPath: "/"
recursive: true
managedKubeSecretReferences:
- secretName: hsm-be-core-auth-secret
secretNamespace: app
creationPolicy: "Orphan"
template:
includeAllSecrets: false
data:
DB_USER: "{{.be.core.auth..DB_USER.Value}}"
DB_PASSWORD: "{{.be.core.auth.DB_PASSWORD.Value}}"
DB_CONNECTION_STRING: "{{.be.core.auth.DB_CONNECTION_STRING.Value}}"
JWT_SECRET: "{{.JWT_SECRET.Value}}"
This syntax seems to assume that the secret is located at /be/core/auth/DB_USER. However, when I use this, I get <no value>, and it's difficult to know if the issue is in the path, the template syntax, or Infisical not resolving it properly.
Could you please clarify the following in the docs or provide examples?
- The exact Go template syntax for accessing secrets stored in nested folders.
- How folder paths in the UI or CLI (e.g., /be/core/auth/) translate into the .template.data field.
- Whether it's possible to view the full structured map that the Go template receives (for debugging purposes).
- What error handling exists if a template references a non-existing secret.
Example If I have this secret in Infisical:
/be/core/auth/DB_USER = "admin"
Is this the correct way to reference it?
DB_USER: "{{ .be.core.auth.DB_USER.Value }}"
Or should I use a different structure?
