Clarify template usage for nested secret paths in InfisicalSecret CRD

[rsantamaria01]

I'm using InfisicalSecret to manage Kubernetes secrets in my cluster, and I'm organizing my secrets in nested folders such as /be/core/auth/DB_USER.

However, it's not entirely clear from the documentation how the Go template syntax should be used to reference deeply nested secrets. For example:

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: infisical-secret-auth
  namespace: app
  labels:
    app: hsm-be-core-auth
spec:
  hostAPI: 
  resyncInterval: 10
  authentication:
    kubernetesAuth:
      identityId: ""
      autoCreateServiceAccountToken: true
      serviceAccountRef:
        name: infisical-service-account
        namespace: security
      secretsScope:
        projectSlug:
        envSlug: dev
        secretsPath: "/"
        recursive: true

  managedKubeSecretReferences:
    - secretName: hsm-be-core-auth-secret
      secretNamespace: app
      creationPolicy: "Orphan"
      template:
        includeAllSecrets: false
        data:
          DB_USER: "{{.be.core.auth..DB_USER.Value}}"
          DB_PASSWORD: "{{.be.core.auth.DB_PASSWORD.Value}}"
          DB_CONNECTION_STRING: "{{.be.core.auth.DB_CONNECTION_STRING.Value}}"
          JWT_SECRET: "{{.JWT_SECRET.Value}}"

This syntax seems to assume that the secret is located at /be/core/auth/DB_USER. However, when I use this, I get <no value>, and it's difficult to know if the issue is in the path, the template syntax, or Infisical not resolving it properly.

Could you please clarify the following in the docs or provide examples?

• The exact Go template syntax for accessing secrets stored in nested folders.
• How folder paths in the UI or CLI (e.g., /be/core/auth/) translate into the .template.data field.
• Whether it's possible to view the full structured map that the Go template receives (for debugging purposes).
• What error handling exists if a template references a non-existing secret.

Example
If I have this secret in Infisical:

/be/core/auth/DB_USER = "admin"

Is this the correct way to reference it?

DB_USER: "{{ .be.core.auth.DB_USER.Value }}"

Or should I use a different structure?

Thanks in advance for the clarification — your tool is incredibly powerful, and better docs on templating would help a lot of users structure their secrets more effectively.

[brycemueller]

@rsantamaria01 My understanding is that if you point the secretPath to the root '/' and recursive is true, then all secrets within that project are saved at one level within the k8s secret. So the syntax would be DB_USER: '{{ DB_USER.Value }}'. If there are duplicate values, then the one lowest in the folder structure will be saved. I have not found there to be value in folders when using the k8s operator (at least with one operator). I have been testing using multiple CRD to create different InfisicalSecret resources. Not sure if there are any issues with doing this, but it allows me to set different paths in the secretScope. If there are better ways of managing this I would love to hear about it. Not sure if using the SecretPath would ay help. type TemplateSecret struct { Value string json:"value"SecretPath stringjson:"secretPath" }