Doppler Kubernetes Operator OIDC Setup
Configure OIDC authentication with the Doppler Kubernetes Operator
The Doppler Kubernetes Operator supports OIDC authentication, allowing your cluster to authenticate with Doppler using short-lived tokens instead of static API tokens. This provides enhanced security through automatic token rotation and eliminates the need to manage long-lived credentials.
Prerequisites
- Doppler Kubernetes Operator v1.7.0 or later
- Kubernetes cluster with publicly accessible OIDC discovery URL
- Team or Enterprise Doppler plan
doppler-operator-systemnamespace with the operator installed
Supported Kubernetes Platforms
Amazon EKS
EKS clusters have OIDC discovery enabled by default with publicly accessible issuer URLs.
Google GKE
GKE clusters support OIDC discovery through Workload Identity. The OIDC issuer URL can be retrieved using the gcloud CLI.
Azure AKS
AKS clusters running Kubernetes 1.35+ have the OIDC issuer enabled by default. For earlier versions, it must be enabled with the --enable-oidc-issuer flag during cluster creation or update.
Self-Managed Clusters
Requires the API server's --service-account-issuer flag to be set to a publicly accessible URL that serves OIDC discovery documents. This flag is required but not set by default on self-managed clusters.
Required configuration:
--service-account-issuer: Must be an HTTPS URL accessible by Doppler's servers--service-account-key-file: Path to the public key for verifying ServiceAccount tokens--service-account-signing-key-file: Path to the private key for signing ServiceAccount tokens
Setting Up OIDC Authentication
Step 1: Retrieve Your Cluster's OIDC Configuration
First, verify your cluster supports ServiceAccount OIDC discovery and identify the issuer URL:
# Check if OIDC discovery is available
kubectl get --raw /.well-known/openid-configuration | jq -r .issuer
# If the above fails, your cluster may not have service account issuer discovery configured.
# For self-managed clusters, check the API server configuration:
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath='{.items[0].spec.containers[0].command}' | grep service-account-issuer
# For EKS specifically
aws eks describe-cluster --name YOUR_CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text
# For GKE
gcloud container clusters describe YOUR_CLUSTER_NAME --region=YOUR_REGION --format="value(workloadIdentityConfig.issuerUri)"Step 2: Create a Doppler Service Account Identity
- Visit your Doppler Service Account settings
- Click "Add Identity" and select "Custom" as the provider
- Configure the identity with these settings:
Discovery URL: Your cluster's OIDC issuer URL from Step 1
Audience:
- If using identity in tokenSecret:
dopplerTokenSecret:{dopplerTokenSecretNamespace}:{dopplerTokenSecretName} - If using identity in DopplerSecret spec:
dopplerSecret:{dopplerSecretNamespace}:{dopplerSecretName}
Subject:
system:serviceaccount:doppler-operator-system:doppler-operator-controller-managerStep 3: Create the OIDC Configuration Secret
If you're including the identity ID in the
DopplerSecret, this step is unnecessary.
Create a Kubernetes secret containing your Doppler identity ID:
kubectl create secret generic doppler-token-secret \
-n doppler-operator-system \
--from-literal=identity=YOUR_IDENTITY_IDStep 4: Create a DopplerSecret Resource
Create a DopplerSecret that uses OIDC authentication:
apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
name: app-secrets
namespace: doppler-operator-system
spec:
tokenSecret:
name: doppler-token-secret # References the OIDC config secret
project: example-project
config: prd
managedSecret:
name: app-secrets
namespace: default # Where your application runsapiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
name: app-secrets
namespace: doppler-operator-system
spec:
identity: 00000000-0000-0000-0000-000000000000 # Your identity ID
project: example-project
config: prd
managedSecret:
name: app-secrets
namespace: default # Where your application runsApply the configuration:
kubectl apply -f dopplersecret.yamlMigrating from Service Tokens
To migrate existing DopplerSecrets from service tokens to OIDC:
- Create the OIDC identity (Step 2 above)
- Update your existing token secret to include the identity field:
kubectl patch secret doppler-token-secret \
-n doppler-operator-system \
--type='json' \
-p='[{"op": "remove", "path": "/data/serviceToken"},
{"op": "add", "path": "/data/identity", "value": "'$(echo -n YOUR_IDENTITY_ID | base64)'"}]'The operator will automatically switch to OIDC authentication on the next reconciliation.
Updated about 1 month ago