apiVersion: secrets.infisical.com/v1beta1 kind: InfisicalStaticSecret metadata: name: n8n-secret namespace: n8n spec: # Shared, read-only machine identity (no write grant, no PushSecret). # Source is the /n8n folder, single key encryption-key = N8N_ENCRYPTION_KEY. # This is n8n's IRRECOVERABLE credentials-encryption root: it decrypts every # credential stored in database.sqlite. Lifted BYTE-IDENTICAL (sha8 1fdb7832, # len 32) — never regenerated. Also persisted verbatim in ~/.n8n/config on the # PVC and backed up in the user's password manager (4-way redundancy). # secretKeyRef.key is already 'encryption-key' -> straight passthrough. infisicalAuthRef: name: infisical-auth namespace: infisical-operator sources: - projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab" environmentSlug: prod secretPath: /n8n syncOptions: refreshInterval: 60s targets: - kind: Secret name: n8n-secret-infisical # parallel name — old secret stays live until 3c namespace: n8n creationPolicy: Owner # key passthrough: synced Secret carries encryption-key verbatim