From 33ebdd295445d5aa59e696a8218881e159b87af3 Mon Sep 17 00:00:00 2001 From: = Date: Sun, 29 Mar 2026 00:19:49 +0530 Subject: [PATCH 1/3] docs: updated info on pg and redis with Infisical --- docs/docs.json | 2 + .../configuration/requirements.mdx | 8 +-- docs/self-hosting/guides/postgresql.mdx | 54 +++++++++++++++++ docs/self-hosting/guides/redis.mdx | 60 +++++++++++++++++++ docs/self-hosting/overview.mdx | 15 ++++- 5 files changed, 134 insertions(+), 5 deletions(-) create mode 100644 docs/self-hosting/guides/postgresql.mdx create mode 100644 docs/self-hosting/guides/redis.mdx diff --git a/docs/docs.json b/docs/docs.json index cf77aff2f71..ccb776b0542 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -317,6 +317,8 @@ "group": "Self-host Infisical", "pages": [ "self-hosting/overview", + "self-hosting/guides/postgresql", + "self-hosting/guides/redis", { "group": "Installation methods", "pages": [ diff --git a/docs/self-hosting/configuration/requirements.mdx b/docs/self-hosting/configuration/requirements.mdx index 45681b4d90e..4b31646562f 100644 --- a/docs/self-hosting/configuration/requirements.mdx +++ b/docs/self-hosting/configuration/requirements.mdx @@ -55,14 +55,14 @@ Recommended resource allocation based on deployment size. You may require more r Redis is utilized for session management and background tasks in Infisical. - -**Active-passive** setup is recommended for Redis. **Active-active** setup for Redis has not been tested. - + +Redis **active-active geo-replication** is not supported. For multi-region deployments, refer to the [replication guide](/self-hosting/guides/replication) which uses independent Redis instances per region. + Redis requirements: - Use Redis versions 6.x or 7.x. We advise upgrading to at least Redis 6.2. -- Redis Cluster mode is currently not supported; use Redis Standalone, with or without High Availability (HA). +- Supported modes: Standalone, Sentinel (HA), and Cluster. - Redis storage needs are minimal: a setup with 2 vCPU, 4 GB RAM, and 30GB SSD will be sufficient for small deployments. - Set cache eviction policy to `noeviction`. diff --git a/docs/self-hosting/guides/postgresql.mdx b/docs/self-hosting/guides/postgresql.mdx new file mode 100644 index 00000000000..da65b7ab0df --- /dev/null +++ b/docs/self-hosting/guides/postgresql.mdx @@ -0,0 +1,54 @@ +--- +title: "PostgreSQL" +description: "Understand the role PostgreSQL plays in Infisical, what data it stores, and how to operate it safely." +--- + +PostgreSQL is the **authoritative datastore** for all persistent data in Infisical. Every piece of long-lived state — secrets, users, configurations, audit history — is stored in PostgreSQL. It is the single source of truth for the entire platform. + +## What it stores + +| Data | Description | +|------|-------------| +| Secrets | All secrets and their full version history | +| Identities & Users | User accounts, machine identities, and their credentials | +| Projects & Organizations | Project configurations, organization settings, and memberships | +| Access Control | Roles, permissions, and access policies | +| Audit Logs | Records of all actions taken within the platform | +| Integrations | Configuration for third-party integrations and sync targets | +| Certificates & PKI | Certificate authorities, certificates, and PKI configurations | +| Encryption Keys | Encrypted project keys used for secret encryption | + +## Supported modes + +| Mode | Supported | +|------|-----------| +| Standalone (Single Instance) | Yes | +| Read Replicas (Streaming Replication) | Yes | + +For multi-region deployments with read replicas, see the [replication guide](/self-hosting/guides/replication). + +## Impact of data loss + +PostgreSQL data loss is **critical and unrecoverable without a backup**. Because PostgreSQL is the sole source of truth for all persistent state, losing this data means losing: + +- All secrets and their version history +- User accounts, identities, and credentials +- Project and organization configurations +- Audit logs and compliance records +- Integration settings and encryption keys + +There is no way to reconstruct this data from other components. Redis caches are ephemeral and do not contain the full dataset. + + + Always maintain regular PostgreSQL backups and test your restore process. Without a working backup, PostgreSQL data loss is **permanent**. + + +## Recommendations + +- **Use a managed service** (e.g., AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL) for automated backups, failover, and maintenance. +- **Enable point-in-time recovery (PITR)** for granular restore capabilities. +- **Test restores regularly**. A backup that has never been tested is not a backup. +- **High availability**: Configure streaming replication with automatic failover to minimize downtime. +- **Version**: Infisical supports PostgreSQL versions 14+, with version 16 being the most extensively tested. + +For hardware sizing, see [hardware requirements](/self-hosting/configuration/requirements). diff --git a/docs/self-hosting/guides/redis.mdx b/docs/self-hosting/guides/redis.mdx new file mode 100644 index 00000000000..f48c98945e6 --- /dev/null +++ b/docs/self-hosting/guides/redis.mdx @@ -0,0 +1,60 @@ +--- +title: "Redis" +description: "Understand the role Redis plays in Infisical, why persistence is required, and how to operate it safely." +--- + +Redis serves as both a **caching layer** and a **persistent job queue** in Infisical. Unlike typical cache-only use cases, Infisical relies on Redis to durably store background job data, making persistence a hard requirement. + + + Redis **must be configured with persistence enabled** (AOF, RDB, or both). Infisical uses Redis-backed queues for background processing. A non-persistent Redis instance that restarts will lose all pending and in-progress jobs. + + +## What it stores + +| Data | Description | +|------|-------------| +| Cache | Frequently accessed data and configurations, reducing load on PostgreSQL | +| Background Job Queues | Jobs for secret syncs to third-party integrations, secret rotations, scheduled tasks, webhook deliveries, and audit log processing | +| Job State | Metadata for in-progress, completed, and failed jobs including retry information | +| Session Data | Active user session tokens and ephemeral authentication state | + +## Supported modes + +| Mode | Supported | +|------|-----------| +| Standalone (Single Node) | Yes | +| Sentinel (High Availability) | Yes | +| Cluster | Yes | +| Active-Active Geo-Replication | No | + + + Redis **active-active geo-replication** is not supported. If you need multi-region deployments, refer to Infisical's [replication architecture](/self-hosting/guides/replication) which uses independent Redis instances per region instead. + + +## Impact of data loss + +Redis data loss is **disruptive but recoverable**. Unlike PostgreSQL, Redis does not hold the source of truth — secrets and configurations remain safe in PostgreSQL. However, the impact depends on what was in Redis at the time: + +- **Cache loss**: No lasting impact. The cache repopulates automatically as read requests come in. You may see a temporary spike in PostgreSQL load until the cache warms up. +- **Queue loss**: Pending background jobs are lost. In-flight operations such as secret syncs to third-party integrations, pending secret rotations, or scheduled webhook deliveries will not complete. These operations will need to be re-triggered manually or will recover on the next scheduled cycle. + +## Why persistence is required + +Infisical uses Redis (backed by Redis) to manage background job queues. These queues handle operations that must eventually complete: + +- Syncing secrets to external providers (AWS Secrets Manager, GCP Secret Manager, etc.) +- Rotating credentials on a schedule +- Delivering webhooks +- Processing audit logs + +If Redis is running without persistence and restarts, all queued and in-progress jobs disappear silently. There is no mechanism to replay these jobs from PostgreSQL. This can result in secrets being out of sync with third-party integrations, missed rotations, or lost webhook deliveries — with no indication that anything went wrong. + +## Recommendations + +- **Enable persistence** using AOF (`appendonly yes`) with `appendfsync everysec` for a good balance between durability and performance. RDB snapshots can be used as an additional safety net. +- **Set eviction policy to `noeviction`** to prevent Redis from silently dropping queue data under memory pressure. +- **Use Redis 6.2+**. Infisical supports Redis versions 6.x and 7.x, with 6.2 as the minimum recommended version. +- **High availability**: Use Redis Sentinel or a managed Redis service with automatic failover. +- **Monitor memory usage**. Because `noeviction` is required, Redis will reject new writes if it runs out of memory rather than evicting data. Ensure sufficient memory is provisioned for your workload. + +For hardware sizing, see [hardware requirements](/self-hosting/configuration/requirements). diff --git a/docs/self-hosting/overview.mdx b/docs/self-hosting/overview.mdx index de841e63d4b..7cd9d3dbf32 100644 --- a/docs/self-hosting/overview.mdx +++ b/docs/self-hosting/overview.mdx @@ -7,10 +7,23 @@ description: "Learn how to self-host Infisical on your own infrastructure." Self-hosting Infisical lets you retain data on your own infrastructure and network. Many organizations choose self-hosting for benefits in compliance and flexibility. - Compliance: Deploying Infisical in your own environment helps meet strict regulatory requirements (e.g. SOC 2, HIPAA, FIPS 140-3) by aligning with your existing security controls. All data remains under your governance, and Infisical’s architecture supports compliance needs through strong encryption and access controls. -- Flexibility: You have complete control over deployment topology and integrations. Infisical can run in diverse environments. From air-gapped bare-metal servers to Kubernetes clusters or cloud VMs, this flexibility lets you tailor networking, security, and performance configurations to fit your organization’s needs. +- Flexibility: You have complete control over deployment topology and integrations. Infisical can run in diverse environments, from air-gapped bare-metal servers to Kubernetes clusters or cloud VMs, letting you tailor networking, security, and performance configurations to fit your organization’s needs. +## Architecture Overview + +Infisical requires two core infrastructure components alongside the stateless application servers: + +- **[PostgreSQL](/self-hosting/guides/postgresql)** — The sole source of truth for all persistent data including secrets, users, projects, audit logs, and configurations. +- **[Redis](/self-hosting/guides/redis)** — Caching layer and persistent job queue for background processing, session management, and async tasks. + +The application servers are stateless and scale horizontally. See the dedicated [PostgreSQL](/self-hosting/guides/postgresql) and [Redis](/self-hosting/guides/redis) pages for supported modes, data loss implications, and operational recommendations. + +For hardware sizing, see [hardware requirements](/self-hosting/configuration/requirements). For multi-region deployments, see the [replication guide](/self-hosting/guides/replication). + +## Deployment Options + Choose from a number of deployment options listed below to get started. From 1efd78269da44b41f72a1ee83a816aa6869a8e16 Mon Sep 17 00:00:00 2001 From: = Date: Sun, 29 Mar 2026 00:25:44 +0530 Subject: [PATCH 2/3] docs: updated infra info to have configuration as well --- docs/self-hosting/guides/postgresql.mdx | 59 ++++++++++++++++++ docs/self-hosting/guides/redis.mdx | 83 ++++++++++++++++++++++++- 2 files changed, 141 insertions(+), 1 deletion(-) diff --git a/docs/self-hosting/guides/postgresql.mdx b/docs/self-hosting/guides/postgresql.mdx index da65b7ab0df..fa81a439f4e 100644 --- a/docs/self-hosting/guides/postgresql.mdx +++ b/docs/self-hosting/guides/postgresql.mdx @@ -27,6 +27,65 @@ PostgreSQL is the **authoritative datastore** for all persistent data in Infisic For multi-region deployments with read replicas, see the [replication guide](/self-hosting/guides/replication). +## Configuration + +Configure PostgreSQL connectivity by setting the following environment variables on your Infisical instance. + + + The database user must be granted all privileges on the Infisical database, including the ability to create schemas, tables, indexes, and perform all CRUD operations. + + + + + + Postgres database connection string. + + + + Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. + Use the following command to encode your certificate: `echo "" | base64` + + Many cloud providers provide a CA certificate for their data regions that you can use to secure your connection with SSL. + + + + If you're hosting your database on AWS RDS, you can use their publicly available CA certificate as the database root certificate. + + You can find all the available CA certificates for AWS RDS on the official [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html). + + As an example, if your RDS cluster is hosted in `us-east-1` _(US East, N. Virginia)_, you can use the following root certificate: https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem. + + Remember to base64 encode the certificate before setting it as the `DB_ROOT_CERT` environment variable. `cat /path/to/certificate.pem | base64`. + + ```bash + DB_ROOT_CERT=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1 # .... (base64 encoded certificate) + DB_CONNECTION_URI=?sslmode=verify-ca # or verify-full depending on your security policies + ``` + + + + + + + Postgres database read replica connection strings. It accepts a JSON string. + ``` + DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}] + ``` + + + Postgres read replica connection string. + + + Configure the SSL certificate for securing a Postgres replica connection by first encoding it in base64. + Use the following command to encode your certificate: `echo "" | base64` + + If not provided, it will use the primary SSL certificate. + + + + + + ## Impact of data loss PostgreSQL data loss is **critical and unrecoverable without a backup**. Because PostgreSQL is the sole source of truth for all persistent state, losing this data means losing: diff --git a/docs/self-hosting/guides/redis.mdx b/docs/self-hosting/guides/redis.mdx index f48c98945e6..06d7045ba87 100644 --- a/docs/self-hosting/guides/redis.mdx +++ b/docs/self-hosting/guides/redis.mdx @@ -31,6 +31,87 @@ Redis serves as both a **caching layer** and a **persistent job queue** in Infis Redis **active-active geo-replication** is not supported. If you need multi-region deployments, refer to Infisical's [replication architecture](/self-hosting/guides/replication) which uses independent Redis instances per region instead. +## Configuration + +Configure Redis connectivity by setting the following environment variables on your Infisical instance. + + + + + Redis connection string. For SSL/TLS connections, use the `rediss://` protocol (note the double 's'). + + Examples: + - Without SSL: `redis://localhost:6379` + - With SSL: `rediss://localhost:6379` + - With authentication: `redis://:password@localhost:6379` + - With SSL and authentication: `rediss://:password@localhost:6379` + + + + + Comma-separated list of Sentinel host:port pairs. ``` + 192.168.65.254:26379,192.168.65.254:26380 ``` + + + The name of the Redis master set monitored by Sentinel + + + Whether to use TLS/SSL for Redis Sentinel connection + + + Authentication username for Redis Sentinel + + + Authentication password for Redis Sentinel + + + Authentication username for Redis Node + + + Authentication password for Redis Node + + + + + Comma-separated list of Redis Cluster host:port pairs. ``` + 192.168.65.254:26379,192.168.65.254:26380 ``` + + + Enable Redis TLS encryption on connection. + + + Enable this if you are using AWS encrypt on transit for Elasticache cluster. For more information refer ![here](https://github.com/redis/ioredis?tab=readme-ov-file#special-note-aws-elasticache-clusters-with-tls). + + + Authentication username for Redis Node + + + Authentication password for Redis Node + + + + + Comma-separated list of Redis read replicas host:port pairs. ``` + 192.168.65.254:26379,192.168.65.254:26380 ``` + + + The parameters like username, password, TLS, and Redis type of the primary instance will be inherited. + + + +### SSL/TLS + +To connect to Redis with SSL/TLS, use the `rediss://` protocol (note the double 's') in your connection string. + +If your Redis server uses a certificate signed by a private CA or a self-signed certificate, set the `NODE_EXTRA_CA_CERTS` environment variable to the path of your CA certificate file: + +```bash +REDIS_URL=rediss://your-redis-host:6379 +NODE_EXTRA_CA_CERTS=/path/to/ca.crt +``` + +For Redis Sentinel or Cluster mode, use the `REDIS_SENTINEL_ENABLE_TLS` or `REDIS_CLUSTER_ENABLE_TLS` environment variables respectively. + ## Impact of data loss Redis data loss is **disruptive but recoverable**. Unlike PostgreSQL, Redis does not hold the source of truth — secrets and configurations remain safe in PostgreSQL. However, the impact depends on what was in Redis at the time: @@ -40,7 +121,7 @@ Redis data loss is **disruptive but recoverable**. Unlike PostgreSQL, Redis does ## Why persistence is required -Infisical uses Redis (backed by Redis) to manage background job queues. These queues handle operations that must eventually complete: +Infisical uses Redis to manage background job queues. These queues handle operations that must eventually complete: - Syncing secrets to external providers (AWS Secrets Manager, GCP Secret Manager, etc.) - Rotating credentials on a schedule From a95417f41113e1f86fc8327f724b46c2f83cabe0 Mon Sep 17 00:00:00 2001 From: = Date: Sun, 29 Mar 2026 00:34:19 +0530 Subject: [PATCH 3/3] feat: resolved typo --- docs/self-hosting/guides/redis.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/self-hosting/guides/redis.mdx b/docs/self-hosting/guides/redis.mdx index 06d7045ba87..04a61175bbf 100644 --- a/docs/self-hosting/guides/redis.mdx +++ b/docs/self-hosting/guides/redis.mdx @@ -80,7 +80,7 @@ Configure Redis connectivity by setting the following environment variables on y Enable Redis TLS encryption on connection. - Enable this if you are using AWS encrypt on transit for Elasticache cluster. For more information refer ![here](https://github.com/redis/ioredis?tab=readme-ov-file#special-note-aws-elasticache-clusters-with-tls). + Enable this if you are using AWS encrypt on transit for Elasticache cluster. For more information refer [here](https://github.com/redis/ioredis?tab=readme-ov-file#special-note-aws-elasticache-clusters-with-tls). Authentication username for Redis Node