External Secrets Operator

Kubernetes secrets sync automation using the External Secrets Operator Doppler provider.

If you're already using the External Secrets Operator in your Kubernetes cluster, then you can take advantage of our Doppler External Secrets provider.

πŸ“˜

If you're after an in-depth end-to-end user guide, check out our Kubernetes External Secrets blog post.

Authentication

Doppler Service Tokens are recommended as they restrict access to a single config.

πŸ“˜

Doppler Service Account Tokens are also supported but require project and config to be set on the SecretStore or ClusterSecretStore. See the Service Account Token example below.

Create the Doppler Token secret by opening the Doppler dashboard and navigating to the desired Project and Config, then create a new Service Token from the Access tab:

Create the Doppler Token Kubernetes secret with your Service Token value:

HISTIGNORE='*kubectl*' kubectl create secret generic \
    doppler-token-auth-api \
    --from-literal dopplerToken="dp.st.xxxx" \
    -n external-secrets

Then to create a generic SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: doppler-auth-api
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            name: doppler-token-auth-api
            key: dopplerToken
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: doppler-auth-api
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            name: doppler-token-auth-api
            key: dopplerToken
      project: your-project-name
      config: your-config-name

🚧

In case of a ClusterSecretStore, be sure to set namespace in secretRef.dopplerToken.

Use Cases

The Doppler provider allows for a wide range of use cases:

  1. Fetch
  2. Fetch all
  3. Filter
  4. JSON secret
  5. Name transformer
  6. Download

Let's explore each use case using a fictional auth-api Doppler project.

1. Fetch

To sync one or more individual secrets:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: auth-api-db-url
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api

  target:
    name: auth-api-db-url

  data:
    - secretKey: DB_URL
      remoteRef:
        key: DB_URL

2. Fetch all

To sync every secret from a config:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: auth-api-all
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api

  target:
    name: auth-api-all

  dataFrom:
    - find:
        name:
          regexp: .*

3. Filter

To filter secrets by path (path prefix), name (regular expression) or a combination of both:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: auth-api-db
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api

  target:
    name: auth-api-db

  dataFrom:
    - find:
        path: DB_

4. JSON secret

To parse a JSON secret to its key-value pairs:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: auth-api-sa-json
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api

  target:
    name: auth-api-sa-json

  dataFrom:
    - extract:
        key: SA_JSON

5. Name transformer

Name transformers format keys from Doppler's UPPER_SNAKE_CASE to one of the following alternatives:

  • upper-camel
  • camel
  • lower-snake
  • tf-var
  • dotnet-env
  • lower-kebab

Name transformers require a specifically configured SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: doppler-auth-api-dotnet-env
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            name: doppler-token-auth-api
      nameTransformer: dotnet-env
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: doppler-auth-api-dotnet-env
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            name: doppler-token-auth-api
      project: your-project-name
      config: your-config-name
      nameTransformer: dotnet-env

Then an ExternalSecret referencing the SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: doppler-auth-api-dotnet-env
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api-dotnet-env

  target:
    name: doppler-auth-api-dotnet-env
    creationPolicy: Owner

  dataFrom:
    - find:
        name:
          regexp: .*

6. Download

A single DOPPLER_SECRETS_FILE key is set where the value is the secrets downloaded in one of the following formats:

  • json
  • dotnet-json
  • env
  • env-no-quotes
  • yaml

Downloading secrets requires a specifically configured SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: doppler-auth-api-json-file
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            name: doppler-token-auth-api
            key: dopplerToken
      format: json
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: doppler-auth-api-json-file
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            name: doppler-token-auth-api
            key: dopplerToken
      project: your-project-name
      config: your-config-name
      format: json

Then an ExternalSecret referencing the SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: auth-api-json-file
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api-json-file

  target:
    name: auth-api-json-file

  dataFrom:
    - find:
        path: DOPPLER_SECRETS_FILE