Overview

The InfisicalDynamicSecret CRD allows you to easily create and manage dynamic secret leases in Infisical and automatically sync them to your Kubernetes cluster as native Kubernetes Secret resources. This means any Pod, Deployment, or other Kubernetes resource can make use of dynamic secrets from Infisical just like any other K8s secret.

This CRD offers the following features:

  • Generate a dynamic secret lease in Infisical and track its lifecycle.
  • Write the dynamic secret from Infisical to your cluster as native Kubernetes secret.
  • Automatically rotate the dynamic secret value before it expires to make sure your cluster always has valid credentials.
  • Optionally trigger redeployments of any workloads that consume the secret if you enable auto-reload.

Prerequisites

  • The operator is installed on to your Kubernetes cluster
  • You have already configured a dynamic secret in Infisical

Configure Dynamic Secret CRD

The example below shows a sample InfisicalDynamicSecret CRD that creates a dynamic secret lease in Infisical, and syncs the lease to your Kubernetes cluster.

dynamic-secret-crd.yaml
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalDynamicSecret
metadata:
  name: infisicaldynamicsecret
spec:
  hostAPI: https://app.infisical.com/api # Optional, defaults to https://app.infisical.com/api

  dynamicSecret:
    secretName: <dynamic-secret-name>
    projectId: <project-id>
    secretsPath: <path/to/dynamic-secret> # Root directory is /
    environmentSlug: <env-slug>

  # Lease revocation policy defines what should happen to leases created by the operator if the CRD is deleted.
  # If set to "Revoke", leases will be revoked when the InfisicalDynamicSecret CRD is deleted.
  leaseRevocationPolicy: Revoke

  # Lease TTL defines how long the lease should last for the dynamic secret.
  # This value must be less than 1 day, and if a max TTL is defined on the dynamic secret, it must be below the max TTL.
  leaseTTL: 1m

  # A reference to the secret that the dynamic secret lease should be stored in.
  # If the secret doesn't exist, it will automatically be created.
  managedSecretReference:
    secretName: <secret-name>
    secretNamespace: default # Must be the same namespace as the InfisicalDynamicSecret CRD.
    creationPolicy: Orphan

  # Only have one authentication method defined or you are likely to run into authentication issues.
  # Remove all except one authentication method.
  authentication:
    awsIamAuth:
      identityId: <machine-identity-id>
    azureAuth:
      identityId: <machine-identity-id>
    gcpIamAuth:
      identityId: <machine-identity-id>
      serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
    gcpIdTokenAuth:
      identityId: <machine-identity-id>
    kubernetesAuth:
      identityId: <machine-identity-id>
      serviceAccountRef:
        name: <secret-name>
        namespace: <secret-namespace>
    universalAuth:
      credentialsRef:
        secretName: <secret-name> # universal-auth-credentials
        secretNamespace: <secret-namespace> # default

Apply the InfisicalDynamicSecret CRD to your cluster.

kubectl apply -f dynamic-secret-crd.yaml

After applying the InfisicalDynamicSecret CRD, you should notice that the dynamic secret lease has been created in Infisical and synced to your Kubernetes cluster. You can verify that the lease has been created by doing:

kubectl get secret <managed-secret-name> -o yaml

After getting the secret, you should should see that the secret has data that contains the lease credentials.

apiVersion: v1
data:
  DB_PASSWORD: VHhETjZ4c2xsTXpOSWdPYW5LLlRyNEc2alVKYml6WiQjQS0tNTdodyREM3ZLZWtYSi4hTkdyS0F+TVFsLU9CSA==
  DB_USERNAME: cHg4Z0dJTUVBcHdtTW1aYnV3ZWRsekJRRll6cW4wFEE=
kind: Secret
# .....

InfisicalDynamicSecret CRD properties

Applying the InfisicalDynamicSecret CRD to your cluster

Once you have configured the InfisicalDynamicSecret CRD with the required fields, you can apply it to your cluster. After applying, you should notice that a lease has been created in Infisical and synced to your Kubernetes cluster.

kubectl apply -f dynamic-secret-crd.yaml

Auto redeployment

Deployments referring to Kubernetes secrets containing Infisical dynamic secrets don’t automatically reload when the dynamic secret lease expires. This means your deployment may use expired dynamic secrets unless manually redeployed. To address this, we’ve added functionality to automatically redeploy your deployment when the associated Kubernetes secret containing your Infisical dynamic secret updates.

Enabling auto redeploy

To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret

secrets.infisical.com/auto-reload: "true"

How it works

When the lease changes, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update. Then, for each deployment that has this annotation present, a rolling update will be triggered. A redeployment won’t happen if the lease is renewed, only if it’s recreated.