> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Using the InfisicalDynamicSecret CRD

> Learn how to generate dynamic secret leases in Infisical and sync them to your Kubernetes cluster.

## Overview

The **InfisicalDynamicSecret** CRD allows you to easily create and manage dynamic secret leases in Infisical and automatically sync them to your Kubernetes cluster as native **Kubernetes Secret** resources.
This means any Pod, Deployment, or other Kubernetes resource can make use of dynamic secrets from Infisical just like any other K8s secret.

This CRD offers the following features:

* **Generate a dynamic secret lease** in Infisical and track its lifecycle.
* **Write** the dynamic secret from Infisical to your cluster as native Kubernetes secret.
* **Automatically rotate** the dynamic secret value before it expires to make sure your cluster always has valid credentials.
* **Optionally trigger redeployments** of any workloads that consume the secret if you enable auto-reload.

### Prerequisites

* A project within Infisical.
* A [machine identity](/documentation/platform/identities/machine-identities) ready for use in Infisical that has permissions to create dynamic secret leases in the project.
* You have already configured a dynamic secret in Infisical.
* The operator is installed on to your Kubernetes cluster.

## Configure Dynamic Secret CRD

The example below shows a sample **InfisicalDynamicSecret** CRD that creates a dynamic secret lease in Infisical, and syncs the lease to your Kubernetes cluster.

```yaml dynamic-secret-crd.yaml theme={"dark"}
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalDynamicSecret
metadata:
  name: infisicaldynamicsecret
spec:
  hostAPI: https://app.infisical.com/api # Optional, defaults to https://app.infisical.com/api

  dynamicSecret:
    secretName: <dynamic-secret-name>
    projectId: <project-id>
    secretsPath: <path/to/dynamic-secret> # Root directory is /
    environmentSlug: <env-slug>

  # Lease revocation policy defines what should happen to leases created by the operator if the CRD is deleted.
  # If set to "Revoke", leases will be revoked when the InfisicalDynamicSecret CRD is deleted.
  leaseRevocationPolicy: Revoke

  # Lease TTL defines how long the lease should last for the dynamic secret.
  # This value must be less than 1 day, and if a max TTL is defined on the dynamic secret, it must be below the max TTL.
  leaseTTL: 1m

  # A reference to the secret that the dynamic secret lease should be stored in.
  # If the secret doesn't exist, it will automatically be created.
  managedSecretReference:
    secretName: <secret-name>
    secretNamespace: default # Must be the same namespace as the InfisicalDynamicSecret CRD.
    creationPolicy: Orphan

  # Only have one authentication method defined or you are likely to run into authentication issues.
  # Remove all except one authentication method.
  authentication:
    awsIamAuth:
      identityId: <machine-identity-id>
    azureAuth:
      identityId: <machine-identity-id>
    gcpIamAuth:
      identityId: <machine-identity-id>
      serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
    gcpIdTokenAuth:
      identityId: <machine-identity-id>
    ldapAuth:
      identityId: <machine-identity-id>
      credentialsRef:
        secretName: <secret-name> # ldap-auth-credentials
        secretNamespace: <secret-namespace> # default
    kubernetesAuth:
      identityId: <machine-identity-id>
      serviceAccountRef:
        name: <secret-name>
        namespace: <secret-namespace>
    universalAuth:
      credentialsRef:
        secretName: <secret-name> # universal-auth-credentials
        secretNamespace: <secret-namespace> # default
```

Apply the InfisicalDynamicSecret CRD to your cluster.

```bash theme={"dark"}
kubectl apply -f dynamic-secret-crd.yaml
```

After applying the InfisicalDynamicSecret CRD, you should notice that the dynamic secret lease has been created in Infisical and synced to your Kubernetes cluster. You can verify that the lease has been created by doing:

```bash theme={"dark"}
kubectl get secret <managed-secret-name> -o yaml
```

After getting the secret, you should should see that the secret has data that contains the lease credentials.

```yaml theme={"dark"}
apiVersion: v1
data:
  DB_PASSWORD: VHhETjZ4c2xsTXpOSWdPYW5LLlRyNEc2alVKYml6WiQjQS0tNTdodyREM3ZLZWtYSi4hTkdyS0F+TVFsLU9CSA==
  DB_USERNAME: cHg4Z0dJTUVBcHdtTW1aYnV3ZWRsekJRRll6cW4wFEE=
kind: Secret
# .....
```

### InfisicalDynamicSecret CRD properties

<Accordion title="hostAPI">
  If you are fetching secrets from a self-hosted instance of Infisical set the value of `hostAPI` to
  `https://your-self-hosted-instace.com/api`

  When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.

  <Accordion title="Advanced use case">
    If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend's service directly without having to route through the public internet.
    To achieve this, use the following address for the hostAPI field:

    ```bash theme={"dark"}
    http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
    ```

    Make sure to replace `<backend-svc-name>` and `<namespace>` with the appropriate values for your backend service and namespace.
  </Accordion>
</Accordion>

<Accordion title="leaseTTL">
  The `leaseTTL` is a string-formatted duration that defines the time the lease should last for the dynamic secret.

  The format of the field is `[duration][unit]` where `duration` is a number and `unit` is a string representing the unit of time.

  The following units are supported:

  * `s` for seconds (must be at least 5 seconds)
  * `m` for minutes
  * `h` for hours
  * `d` for days

      <Note>
        The lease duration at most be 1 day (24 hours). And the TTL must be less than the max TTL defined on the dynamic secret.
      </Note>
</Accordion>

<Accordion title="managedSecretReference">
  The `managedSecretReference` field is used to define the Kubernetes secret where the dynamic secret lease should be stored. The required fields are `secretName` and `secretNamespace`.

  ```yaml theme={"dark"}
  spec:
    managedSecretReference:
      secretName: <secret-name>
      secretNamespace: default
  ```

  {" "}

  <Accordion title="managedSecretReference.secretName">
    The name of the Kubernetes secret where the dynamic secret lease should be
    stored.
  </Accordion>

  {" "}

  <Accordion title="managedSecretReference.secretNamespace">
    The namespace of the Kubernetes secret where the dynamic secret lease should
    be stored.
  </Accordion>

  <Accordion title="managedSecretReference.creationPolicy">
    Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator.
    This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.

    #### Available options

    * `Orphan` (default)
    * `Owner`

    <Tip>
      When creation policy is set to `Owner`, the `InfisicalDynamicSecret` CRD must be in
      the same namespace as the managed kubernetes secret.
    </Tip>

    This field is optional.
  </Accordion>

  <Accordion title="managedSecretReference.secretType">
    Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.

    This field is optional.
  </Accordion>
</Accordion>

<Accordion title="leaseRevocationPolicy">
  The field is optional and will default to `None` if not defined.

  The lease revocation policy defines what the operator should do with the leases created by the operator, when the InfisicalDynamicSecret CRD is deleted.

  Valid values are `None` and `Revoke`.

  Behavior of each policy:

  * `None`: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.
  * `Revoke`: The operator will revoke the leases created by the operator when the InfisicalDynamicSecret CRD is deleted.

  ```yaml theme={"dark"}
  spec:
    leaseRevocationPolicy: Revoke
  ```
</Accordion>

<Accordion title="dynamicSecret">
  The `dynamicSecret` field is used to specify which dynamic secret to create leases for. The required fields are `secretName`, `projectId`, `secretsPath`, and `environmentSlug`.

  ```yaml theme={"dark"}
  spec:
    dynamicSecret:
      secretName: <dynamic-secret-name>
      # Use either projectId OR projectSlug, not both
      projectId: <project-id> # Either projectId or projectSlug is required
      # projectSlug: <project-slug>
      environmentSlug: <env-slug>
      secretsPath: <secrets-path>
  ```

  {" "}

  <Accordion title="dynamicSecret.secretName">
    The name of the dynamic secret.
  </Accordion>

  {" "}

  <Accordion title="dynamicSecret.projectId">
    The project ID of where the dynamic secret is stored in Infisical.

    <Note>
      Please note that you can only use either `projectId` or `projectSlug` in the `dynamicSecret` field.
    </Note>
  </Accordion>

  <Accordion title="dynamicSecret.projectSlug">
    The project slug of where the dynamic secret is stored in Infisical.

    <Note>
      Please note that you can only use either `projectId` or `projectSlug` in the `dynamicSecret` field.
    </Note>
  </Accordion>

  {" "}

  <Accordion title="dynamicSecret.environmentSlug">
    The environment slug of where the dynamic secret is stored in Infisical.
  </Accordion>

  {" "}

  <Accordion title="dynamicSecret.secretsPath">
    The path of where the dynamic secret is stored in Infisical. The root path is
    `/`.
  </Accordion>
</Accordion>

<Accordion title="authentication">
  The `authentication` field dictates which authentication method to use when pushing secrets to Infisical.
  The available authentication methods are `universalAuth`, `kubernetesAuth`, `awsIamAuth`, `azureAuth`, `gcpIdTokenAuth`, and `gcpIamAuth`.

  <Accordion title="universalAuth">
    The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider.
    [Read more about Universal Auth](/documentation/platform/identities/universal-auth).

    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.
    * `credentialsRef`: The name and namespace of the Kubernetes secret that stores the service token.
    * `credentialsRef.secretName`: The name of the Kubernetes secret.
    * `credentialsRef.secretNamespace`: The namespace of the Kubernetes secret.

    Example:

    ```yaml theme={"dark"}
      # infisical-push-secret.yaml
      spec:
        universalAuth:
          credentialsRef:
            secretName: <secret-name>
            secretNamespace: <secret-namespace>
    ```

    ```yaml theme={"dark"}
      # machine-identity-credentials.yaml
      apiVersion: v1
      kind: Secret
      metadata:
        name: universal-auth-credentials
      type: Opaque
      stringData:
        clientId: <machine-identity-client-id>
        clientSecret: <machine-identity-client-secret>
    ```
  </Accordion>

  <Accordion title="kubernetesAuth">
    The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalDynamicSecret resource. This authentication method can only be used within a Kubernetes environment.
    [Read more about Kubernetes Auth](/documentation/platform/identities/kubernetes-auth).
    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.
    * `serviceAccountRef`: The name and namespace of the service account that will be used to authenticate with Infisical.
    * `serviceAccountRef.name`: The name of the service account.
    * `serviceAccountRef.namespace`: The namespace of the service account.
    * `autoCreateServiceAccountToken`: If set to `true`, the operator will automatically create a short-lived service account token on-demand for the service account. Defaults to `false`.
    * `serviceAccountTokenAudiences`: Optionally specify audience for the service account token. This field is only relevant if you have set `autoCreateServiceAccountToken` to `true`. No audience is specified by default.

    Example:

    ```yaml theme={"dark"}
      spec:
        kubernetesAuth:
          identityId: <machine-identity-id>
          autoCreateServiceAccountToken: true # Automatically creates short-lived service account tokens for the service account.
          serviceAccountTokenAudiences:
            - <audience> # Optionally specify audience for the service account token. No audience is specified by default.
          serviceAccountRef:
            name: <secret-name>
            namespace: <secret-namespace>
    ```
  </Accordion>

  <Accordion title="ldapAuth">
    The LDAP machine identity authentication method is used to authenticate with a configured LDAP directory. [Read more about LDAP Auth](/documentation/platform/identities/ldap-auth).

    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.
    * `credentialsRef`: The name and namespace of the Kubernetes secret that stores the LDAP credentials.
    * `credentialsRef.secretName`: The name of the Kubernetes secret.
    * `credentialsRef.secretNamespace`: The namespace of the Kubernetes secret.

    Example:

    ```yaml theme={"dark"}
      # infisical-push-secret.yaml
      spec:
        ldapAuth:
          identityId: <machine-identity-id>
          credentialsRef:
            secretName: <secret-name>
            secretNamespace: <secret-namespace>
    ```

    ```yaml theme={"dark"}
      # machine-identity-credentials.yaml
      apiVersion: v1
      kind: Secret
      metadata:
        name: ldap-auth-credentials
      type: Opaque
      stringData:
        username: <ldap-username>
        password: <ldap-password>
    ```
  </Accordion>

  <Accordion title="awsIamAuth">
    The AWS IAM machine identity authentication method is used to authenticate with Infisical.
    [Read more about AWS IAM Auth](/documentation/platform/identities/aws-auth).

    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.

    Example:

    ```yaml theme={"dark"}
      spec:
        authentication:
          awsIamAuth:
            identityId: <machine-identity-id>
    ```
  </Accordion>

  <Accordion title="azureAuth">
    The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment.
    [Read more about Azure Auth](/documentation/platform/identities/azure-auth).

    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.

    Example:

    ```yaml theme={"dark"}
      spec:
        authentication:
          azureAuth:
            identityId: <machine-identity-id>
    ```
  </Accordion>

  <Accordion title="gcpIamAuth">
    The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalDynamicSecret resource. This authentication method can only be used both within and outside GCP environments.
    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).

    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.
    * `serviceAccountKeyFilePath`: The path to the GCP service account key file.

    Example:

    ```yaml theme={"dark"}
      spec:
        gcpIamAuth:
          identityId: <machine-identity-id>
          serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
    ```
  </Accordion>

  <Accordion title="gcpIdTokenAuth">
    The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalDynamicSecret resource. This authentication method can only be used within GCP environments.
    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).

    Valid fields:

    * `identityId`: The identity ID of the machine identity you created.

    Example:

    ```yaml theme={"dark"}
      spec:
        gcpIdTokenAuth:
          identityId: <machine-identity-id>
    ```
  </Accordion>
</Accordion>

<Accordion title="tls">
  This block defines the TLS settings to use for connecting to the Infisical
  instance.

  Fields:

  <Accordion title="caRef">
    This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.

    Valid fields:

    * `secretName`: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
    * `secretNamespace`: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
    * `key`: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.

    Example:

    ```yaml theme={"dark"}
      tls:
        caRef:
          secretName: custom-ca-certificate
          secretNamespace: default
          key: ca.crt
    ```
  </Accordion>
</Accordion>

### Applying the InfisicalDynamicSecret CRD to your cluster

Once you have configured the `InfisicalDynamicSecret` CRD with the required fields, you can apply it to your cluster. After applying, you should notice that a lease has been created in Infisical and synced to your Kubernetes cluster.

```bash theme={"dark"}
kubectl apply -f dynamic-secret-crd.yaml
```

## Auto redeployment

Deployments referring to Kubernetes secrets containing Infisical dynamic secrets don't automatically reload when the dynamic secret lease expires. This means your deployment may use expired dynamic secrets unless manually redeployed.
To address this, we've added functionality to automatically redeploy your deployment when the associated Kubernetes secret containing your Infisical dynamic secret updates.

#### Enabling auto redeploy

To enable auto redeployment you simply have to add the following annotation to the deployment, statefulset, or daemonset that consumes a managed secret.

```yaml theme={"dark"}
secrets.infisical.com/auto-reload: "true"
```

<Accordion title="Deployment example with auto redeploy enabled">
  ```yaml theme={"dark"}
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: nginx-deployment
    labels:
      app: nginx
    annotations:
      secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: nginx
    template:
      metadata:
        labels:
          app: nginx
      spec:
        containers:
        - name: nginx
          image: nginx:1.14.2
          envFrom:
          - secretRef:
              name: managed-secret # The name of your managed secret, the same that you're using in your InfisicalDynamicSecret CRD (spec.managedSecretReference.secretName)
          ports:
          - containerPort: 80
  ```
</Accordion>

<Info>
  #### How it works

  When the lease changes, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update.
  Then, for each deployment that has this annotation present, a rolling update will be triggered. A redeployment won't happen if the lease is renewed, only if it's recreated.
</Info>
