Doppler
Doppler SecretOps Platform
Sync secrets from the Doppler SecretOps Platform to Kubernetes using the External Secrets Operator.
Authentication
Doppler Service Tokens are recommended as they restrict access to a single config.
NOTE: Doppler Personal Tokens are also supported but require
project
andconfig
to be set on theSecretStore
orClusterSecretStore
.
Create the Doppler Token secret by opening the Doppler dashboard and navigating to the desired Project and Config, then create a new Service Token from the Access tab:
Create the Doppler Token Kubernetes secret with your Service Token value:
HISTIGNORE='*kubectl*' kubectl create secret generic \
doppler-token-auth-api \
--from-literal dopplerToken="dp.st.xxxx"
Then to create a generic SecretStore
:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: doppler-auth-api
spec:
provider:
doppler:
auth:
secretRef:
dopplerToken:
name: doppler-token-auth-api
key: dopplerToken
NOTE: In case of a
ClusterSecretStore
, be sure to setnamespace
insecretRef.dopplerToken
.
Use Cases
The Doppler provider allows for a wide range of use cases:
Let's explore each use case using a fictional auth-api
Doppler project.
1. Fetch
To sync one or more individual secrets:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-api-db-url
spec:
secretStoreRef:
kind: SecretStore
name: doppler-auth-api
target:
name: auth-api-db-url
data:
- secretKey: DB_URL
remoteRef:
key: DB_URL
2. Fetch all
To sync every secret from a config:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-api-all
spec:
secretStoreRef:
kind: SecretStore
name: doppler-auth-api
target:
name: auth-api-all
dataFrom:
- find:
name:
regexp: .*
3. Filter
To filter secrets by path
(path prefix), name
(regular expression) or a combination of both:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-api-db
spec:
secretStoreRef:
kind: SecretStore
name: doppler-auth-api
target:
name: auth-api-db
dataFrom:
- find:
path: DB_
4. JSON secret
To parse a JSON secret to its key-value pairs:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-api-sa-json
spec:
secretStoreRef:
kind: SecretStore
name: doppler-auth-api
target:
name: auth-api-sa-json
dataFrom:
- extract:
key: SA_JSON
5. Name transformer
Name transformers format keys from Doppler's UPPER_SNAKE_CASE to one of the following alternatives:
- upper-camel
- camel
- lower-snake
- tf-var
- dotnet-env
Name transformers require a specifically configured SecretStore
:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: doppler-auth-api-dotnet-env
spec:
provider:
doppler:
auth:
secretRef:
dopplerToken:
name: doppler-token-auth-api
nameTransformer: dotnet-env
Then an ExternalSecret
referencing the SecretStore
:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: doppler-auth-api-dotnet-env
spec:
secretStoreRef:
kind: SecretStore
name: doppler-auth-api-dotnet-env
target:
name: doppler-auth-api-dotnet-env
creationPolicy: Owner
dataFrom:
- find:
name:
regexp: .*
6. Download
A single DOPPLER_SECRETS_FILE
key is set where the value is the secrets downloaded in one of the following formats:
- json
- dotnet-json
- env
- env-no-quotes
- yaml
Downloading secrets requires a specifically configured SecretStore
:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: doppler-auth-api-json-file
spec:
provider:
doppler:
auth:
secretRef:
dopplerToken:
name: doppler-token-auth-api
key: dopplerToken
format: json
Then an ExternalSecret
referencing the SecretStore
:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-api-json-file
spec:
secretStoreRef:
kind: SecretStore
name: doppler-auth-api-json-file
target:
name: auth-api-json-file
dataFrom:
- find:
path: DOPPLER_SECRETS_FILE