![Doppler External Secrets Provider](../pictures/doppler-provider-header.jpg) ## Doppler SecretOps Platform Sync secrets from the [Doppler SecretOps Platform](https://www.doppler.com/) to Kubernetes using the External Secrets Operator. ## Authentication Doppler [Service Tokens](https://docs.doppler.com/docs/service-tokens) are recommended as they restrict access to a single config. ![Doppler Service Token](../pictures/doppler-service-tokens.png) > NOTE: Doppler Personal Tokens are also supported but require `project` and `config` to be set on the `SecretStore` or `ClusterSecretStore`. Create the Doppler Token secret by opening the Doppler dashboard and navigating to the desired Project and Config, then create a new Service Token from the **Access** tab: ![Create Doppler Service Token](../pictures/doppler-create-service-token.jpg) Create the Doppler Token Kubernetes secret with your Service Token value: ```sh HISTIGNORE='*kubectl*' kubectl create secret generic \ doppler-token-auth-api \ --from-literal dopplerToken="dp.st.xxxx" ``` Then to create a generic `SecretStore`: ```yaml {% include 'doppler-generic-secret-store.yaml' %} ``` > **NOTE:** In case of a `ClusterSecretStore`, be sure to set `namespace` in `secretRef.dopplerToken`. ## Use Cases The Doppler provider allows for a wide range of use cases: 1. [Fetch](#1-fetch) 2. [Fetch all](#2-fetch-all) 3. [Filter](#3-filter) 4. [JSON secret](#4-json-secret) 5. [Name transformer](#5-name-transformer) 6. [Download](#6-download) Let's explore each use case using a fictional `auth-api` Doppler project. ## 1. Fetch To sync one or more individual secrets: ``` yaml {% include 'doppler-fetch-secret.yaml' %} ``` ![Doppler fetch](../pictures/doppler-fetch.png) ## 2. Fetch all To sync every secret from a config: ``` yaml {% include 'doppler-fetch-all-secrets.yaml' %} ``` ![Doppler fetch all](../pictures/doppler-fetch-all.png) ## 3. Filter To filter secrets by `path` (path prefix), `name` (regular expression) or a combination of both: ``` yaml {% include 'doppler-filtered-secrets.yaml' %} ``` ![Doppler filter](../pictures/doppler-filter.png) ## 4. JSON secret To parse a JSON secret to its key-value pairs: ``` yaml {% include 'doppler-parse-json-secret.yaml' %} ``` ![Doppler JSON Secret](../pictures/doppler-json.png) ## 5. Name transformer Name transformers format keys from Doppler's UPPER_SNAKE_CASE to one of the following alternatives: - upper-camel - camel - lower-snake - tf-var - dotnet-env - lower-kebab Name transformers require a specifically configured `SecretStore`: ```yaml {% include 'doppler-name-transformer-secret-store.yaml' %} ``` Then an `ExternalSecret` referencing the `SecretStore`: ```yaml {% include 'doppler-name-transformer-external-secret.yaml' %} ``` ![Doppler name transformer](../pictures/doppler-name-transformer.png) ### 6. Download A single `DOPPLER_SECRETS_FILE` key is set where the value is the secrets downloaded in one of the following formats: - json - dotnet-json - env - env-no-quotes - yaml Downloading secrets requires a specifically configured `SecretStore`: ```yaml {% include 'doppler-secrets-download-secret-store.yaml' %} ``` Then an `ExternalSecret` referencing the `SecretStore`: ```yaml {% include 'doppler-secrets-download-external-secret.yaml' %} ``` ![Doppler download](../pictures/doppler-download.png)