The InfisicalDynamicSecret CRD allows you to easily create and manage dynamic secret leases in Infisical and automatically sync them to your Kubernetes cluster as native Kubernetes Secret resources.
This means any Pod, Deployment, or other Kubernetes resource can make use of dynamic secrets from Infisical just like any other K8s secret.
This CRD offers the following features:
Generate a dynamic secret lease in Infisical and track its lifecycle.
Write the dynamic secret from Infisical to your cluster as native Kubernetes secret.
Automatically rotate the dyanmic secret value before it expires to make sure your cluster always has valid credentials.
Optionally trigger redeployments of any workloads that consume the secret if you enable auto-reload.
The example below shows a sample InfisicalDynamicSecret CRD that creates a dynamic secret lease in Infisical, and syncs the lease to your Kubernetes cluster.
dynamic-secret-crd.yaml
apiVersion: secrets.infisical.com/v1alpha1kind: InfisicalDynamicSecretmetadata:name: infisicaldynamicsecretspec:hostAPI: https://app.infisical.com/api # Optional, defaults to https://app.infisical.com/api dynamicSecret:secretName: <dynamic-secret-name>projectId: <project-id>secretsPath: <path/to/dynamic-secret># Root directory is /environmentSlug: <env-slug># Lease revocation policy defines what should happen to leases created by the operator if the CRD is deleted.# If set to "Revoke", leases will be revoked when the InfisicalDynamicSecret CRD is deleted.leaseRevocationPolicy: Revoke# Lease TTL defines how long the lease should last for the dynamic secret.# This value must be less than 1 day, and if a max TTL is defined on the dynamic secret, it must be below the max TTL.leaseTTL: 1m# A reference to the secret that the dynamic secret lease should be stored in.# If the secret doesn't exist, it will automatically be created. managedSecretReference:secretName: <secret-name>secretNamespace: default # Must be the same namespace as the InfisicalDynamicSecret CRD.creationPolicy: Orphan# Only have one authentication method defined or you are likely to run into authentication issues.# Remove all except one authentication method. authentication: awsIamAuth:identityId: <machine-identity-id> azureAuth:identityId: <machine-identity-id> gcpIamAuth:identityId: <machine-identity-id>serviceAccountKeyFilePath: </path-to-service-account-key-file.json> gcpIdTokenAuth:identityId: <machine-identity-id> kubernetesAuth:identityId: <machine-identity-id> serviceAccountRef:name: <secret-name>namespace: <secret-namespace> universalAuth: credentialsRef:secretName: <secret-name># universal-auth-credentialssecretNamespace: <secret-namespace># default
Apply the InfisicalDynamicSecret CRD to your cluster.
kubectl apply -f dynamic-secret-crd.yaml
After applying the InfisicalDynamicSecret CRD, you should notice that the dynamic secret lease has been created in Infisical and synced to your Kubernetes cluster. You can verify that the lease has been created by doing:
kubectl get secret <managed-secret-name>-o yaml
After getting the secret, you should should see that the secret has data that contains the lease credentials.
If you are fetching secrets from a self-hosted instance of Infisical set the value of hostAPI to
https://your-self-hosted-instace.com/api
When hostAPI is not defined the operator fetches secrets from Infisical Cloud.
If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend’s service directly without having to route through the public internet.
To achieve this, use the following address for the hostAPI field:
Make sure to replace <backend-svc-name> and <namespace> with the appropriate values for your backend service and namespace.
The leaseTTL is a string-formatted duration that defines the time the lease should last for the dynamic secret.
The format of the field is [duration][unit] where duration is a number and unit is a string representing the unit of time.
The following units are supported:
s for seconds (must be at least 5 seconds)
m for minutes
h for hours
d for days
The lease duration at most be 1 day (24 hours). And the TTL must be less than the max TTL defined on the dynamic secret.
The managedSecretReference field is used to define the Kubernetes secret where the dynamic secret lease should be stored. The required fields are secretName and secretNamespace.
The name of the Kubernetes secret where the dynamic secret lease should be stored.
The namespace of the Kubernetes secret where the dynamic secret lease should be stored.
Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator.
This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
Available options
Orphan (default)
Owner
When creation policy is set to Owner, the InfisicalSecret CRD must be in
the same namespace as where the managed kubernetes secret.
This field is optional.
Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
This field is optional.
The field is optional and will default to None if not defined.
The lease revocation policy defines what the operator should do with the leases created by the operator, when the InfisicalDynamicSecret CRD is deleted.
Valid values are None and Revoke.
Behavior of each policy:
None: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.
Revoke: The operator will revoke the leases created by the operator when the InfisicalDynamicSecret CRD is deleted.
spec:leaseRevocationPolicy: Revoke
The dynamicSecret field is used to specify which dynamic secret to create leases for. The required fields are secretName, projectId, secretsPath, and environmentSlug.
The project ID of where the dynamic secret is stored in Infisical.
The environment slug of where the dynamic secret is stored in Infisical.
The path of where the dynamic secret is stored in Infisical. The root path is /.
The authentication field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth, kubernetesAuth, awsIamAuth, azureAuth, gcpIdTokenAuth, and gcpIamAuth.
The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider.
Read more about Universal Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
credentialsRef: The name and namespace of the Kubernetes secret that stores the service token.
credentialsRef.secretName: The name of the Kubernetes secret.
credentialsRef.secretNamespace: The namespace of the Kubernetes secret.
The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
Read more about Kubernetes Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
serviceAccountRef: The name and namespace of the service account that will be used to authenticate with Infisical.
serviceAccountRef.name: The name of the service account.
serviceAccountRef.namespace: The namespace of the service account.
The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment.
Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
serviceAccountKeyFilePath: The path to the GCP service account key file.
The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
Read more about Azure Auth.
Valid fields:
identityId: The identity ID of the machine identity you created.
This block defines the TLS settings to use for connecting to the Infisical
instance.
Fields:
This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Valid fields:
secretName: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
secretNamespace: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
key: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
Applying the InfisicalDynamicSecret CRD to your cluster
Once you have configured the InfisicalDynamicSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that a lease has been created in Infisical and synced to your Kubernetes cluster.
Deployments referring to Kubernetes secrets containing Infisical dynamic secrets don’t automatically reload when the dynamic secret lease expires. This means your deployment may use expired dynamic secrets unless manually redeployed.
To address this, we’ve added functionality to automatically redeploy your deployment when the associated Kubernetes secret containing your Infisical dynamic secret updates.
To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret
secrets.infisical.com/auto-reload:"true"
apiVersion: apps/v1kind: Deploymentmetadata:name: nginx-deployment labels:app: nginxannotations:secrets.infisical.com/auto-reload:"true"# <- redeployment annotationspec:replicas:1 selector: matchLabels:app: nginx template: metadata: labels:app: nginx spec: containers:-name: nginximage: nginx:1.14.2 envFrom:- secretRef:name: managed-secret # The name of your managed secret, the same that you're using in your InfisicalDynamicSecret CRD (spec.managedSecretReference.secretName) ports:-containerPort:80
How it works
When the lease changes, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update.
Then, for each deployment that has this annotation present, a rolling update will be triggered. A redeployment won’t happen if the lease is renewed, only if it’s recreated.
