Learn how to generate dynamic secret leases in Infisical and sync them to your Kubernetes cluster.
hostAPI
hostAPI
to
https://your-self-hosted-instace.com/api
When hostAPI
is not defined the operator fetches secrets from Infisical Cloud.Advanced use case
<backend-svc-name>
and <namespace>
with the appropriate values for your backend service and namespace.leaseTTL
leaseTTL
is a string-formatted duration that defines the time the lease should last for the dynamic secret.The format of the field is [duration][unit]
where duration
is a number and unit
is a string representing the unit of time.The following units are supported:s
for seconds (must be at least 5 seconds)m
for minutesh
for hoursd
for daysmanagedSecretReference
managedSecretReference
field is used to define the Kubernetes secret where the dynamic secret lease should be stored. The required fields are secretName
and secretNamespace
.managedSecretReference.secretName
managedSecretReference.secretNamespace
managedSecretReference.creationPolicy
Orphan
(default)Owner
Owner
, the InfisicalSecret
CRD must be in
the same namespace as where the managed kubernetes secret.managedSecretReference.secretType
leaseRevocationPolicy
None
if not defined.The lease revocation policy defines what the operator should do with the leases created by the operator, when the InfisicalDynamicSecret CRD is deleted.Valid values are None
and Revoke
.Behavior of each policy:None
: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.Revoke
: The operator will revoke the leases created by the operator when the InfisicalDynamicSecret CRD is deleted.dynamicSecret
dynamicSecret
field is used to specify which dynamic secret to create leases for. The required fields are secretName
, projectId
, secretsPath
, and environmentSlug
.dynamicSecret.secretName
dynamicSecret.projectId
dynamicSecret.environmentSlug
dynamicSecret.secretsPath
/
.authentication
authentication
field dictates which authentication method to use when pushing secrets to Infisical.
The available authentication methods are universalAuth
, kubernetesAuth
, awsIamAuth
, azureAuth
, gcpIdTokenAuth
, and gcpIamAuth
.universalAuth
identityId
: The identity ID of the machine identity you created.credentialsRef
: The name and namespace of the Kubernetes secret that stores the service token.credentialsRef.secretName
: The name of the Kubernetes secret.credentialsRef.secretNamespace
: The namespace of the Kubernetes secret.kubernetesAuth
identityId
: The identity ID of the machine identity you created.serviceAccountRef
: The name and namespace of the service account that will be used to authenticate with Infisical.serviceAccountRef.name
: The name of the service account.serviceAccountRef.namespace
: The namespace of the service account.autoCreateServiceAccountToken
: If set to true
, the operator will automatically create a short-lived service account token on-demand for the service account. Defaults to false
.serviceAccountTokenAudiences
: Optionally specify audience for the service account token. This field is only relevant if you have set autoCreateServiceAccountToken
to true
. No audience is specified by default.awsIamAuth
identityId
: The identity ID of the machine identity you created.azureAuth
identityId
: The identity ID of the machine identity you created.gcpIamAuth
identityId
: The identity ID of the machine identity you created.serviceAccountKeyFilePath
: The path to the GCP service account key file.gcpIdTokenAuth
identityId
: The identity ID of the machine identity you created.tls
caRef
secretName
: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.secretNamespace
: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.key
: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.InfisicalDynamicSecret
CRD with the required fields, you can apply it to your cluster. After applying, you should notice that a lease has been created in Infisical and synced to your Kubernetes cluster.
Deployment example with auto redeploy enabled