mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/docs/provider/doppler.md
Joel Watson 6a32b982f0
Add lower-kebab name transformer to Doppler provider (#2418) 
Signed-off-by: Joel Watson <joel.watson@doppler.com>
2023-06-15 08:16:21 +02:00

3.3 KiB
Raw Blame History

Doppler External Secrets Provider

Doppler SecretOps Platform

Sync secrets from the Doppler SecretOps Platform to Kubernetes using the External Secrets Operator.

Authentication

Doppler Service Tokens are recommended as they restrict access to a single config.

Doppler Service Token

NOTE: Doppler Personal Tokens are also supported but require project and config to be set on the SecretStore or ClusterSecretStore.

Create the Doppler Token secret by opening the Doppler dashboard and navigating to the desired Project and Config, then create a new Service Token from the Access tab:

Create Doppler Service Token

Create the Doppler Token Kubernetes secret with your Service Token value:

HISTIGNORE='*kubectl*' kubectl create secret generic \
    doppler-token-auth-api \
    --from-literal dopplerToken="dp.st.xxxx"

Then to create a generic SecretStore:

{% include 'doppler-generic-secret-store.yaml' %}

NOTE: In case of a ClusterSecretStore, be sure to set namespace in secretRef.dopplerToken.

Use Cases

The Doppler provider allows for a wide range of use cases:

  1. Fetch
  2. Fetch all
  3. Filter
  4. JSON secret
  5. Name transformer
  6. Download

Let's explore each use case using a fictional auth-api Doppler project.

1. Fetch

To sync one or more individual secrets:

{% include 'doppler-fetch-secret.yaml' %}

Doppler fetch

2. Fetch all

To sync every secret from a config:

{% include 'doppler-fetch-all-secrets.yaml' %}

Doppler fetch all

3. Filter

To filter secrets by path (path prefix), name (regular expression) or a combination of both:

{% include 'doppler-filtered-secrets.yaml' %}

Doppler filter

4. JSON secret

To parse a JSON secret to its key-value pairs:

{% include 'doppler-parse-json-secret.yaml' %}

Doppler JSON Secret

5. Name transformer

Name transformers format keys from Doppler's UPPER_SNAKE_CASE to one of the following alternatives:

  • upper-camel
  • camel
  • lower-snake
  • tf-var
  • dotnet-env
  • lower-kebab

Name transformers require a specifically configured SecretStore:

{% include 'doppler-name-transformer-secret-store.yaml' %}

Then an ExternalSecret referencing the SecretStore:

{% include 'doppler-name-transformer-external-secret.yaml' %}

Doppler name transformer

6. Download

A single DOPPLER_SECRETS_FILE key is set where the value is the secrets downloaded in one of the following formats:

  • json
  • dotnet-json
  • env
  • env-no-quotes
  • yaml

Downloading secrets requires a specifically configured SecretStore:

{% include 'doppler-secrets-download-secret-store.yaml' %}

Then an ExternalSecret referencing the SecretStore:

{% include 'doppler-secrets-download-external-secret.yaml' %}

Doppler download