Can we integrate kubernetes .jks and .p12 based secrets to doppler?

I am trying to do the same thing with .jks and .p12 secrets Can we integrate kubernetes .pem and .yaml based secrets to doppler?
Since if i follow the same process which i done for .PEM then the files are not converting to .jks or .p12 since i am placing base64 encoded data but it is not converting to .jks or .p12 lets say this is my secret.yaml file

so i copied .p12 data to doppler ideally when i install the cert through yaml file this is the output which i am expecting if i integrate .p12 or .jks files integrate with doppler

but it is not converting to .p12 it is simply copying the data from doppler and placing in this mount file
Can you please help me on this

Hi @naga,

If I’m understanding correctly, you’re wanting to store the .p12 data in Doppler and supply it as a Kubernetes secret so it can be mounted as a file in a container?

If so, the process is something like the following.

Step 1. Base64 encode .p12 file and store in Doppler:

doppler secrets set ELASTIC_CERTS_P12="$(base64 -i elastic-certificates.p12)"

Step 2. Fetch the secret from Doppler to create the Kubernetes secret :

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: elastic-certificates
data:
  elastic-certificates.p12: $(doppler secrets get ELASTIC_CERTS_P12 --plain)
EOF

Step 3. Mount the secret as a file in a container:

apiVersion: v1
kind: Pod
metadata:
  name: p12-certs-test
spec:
  containers:
    - name: p12-certs
      image: ubuntu
      args:
        - sleep
        - '10000'
      volumeMounts:
      - name: certs
        mountPath: /usr/src/app/certs/
      resources:
        limits:
          cpu: 500m
          memory: 256Mi
  volumes:
    - name: certs
      secret:
        secretName: elastic-certificates

The .p12 file will then be mounted in the container at :

/usr/src/app/certs/elastic-certificates.p12

Does that solve the problem you’re facing?

Thank you @ryan-blunden for the quick response but the issue i am facing is how i can get the data from a .p12 file i mean when i open a .p12 file it is in encrypted way when i copy the content and add as a key in doppler and install it then the pods are not starting since the data which is coming from doppler is not the .p12 data which containers are expecting so i am not sure how can can view and copy .p12 file data and integrate with doppler

Hi @naga,

Is the problem that a container needs to export the .p12 file to PEM format prior to starting?

Is the .p12 file mounted in the container correctly as a binary, or is the problem because it’s still base64 encoded?

Also, are you doing this manually (like in my example) or are you using our Operator?

Is this for an open source application? If so, let me know and I can hopefully put together a working example.

initially i tried with operator but it didn’t worked so as you suggested from above i tried manually and while when i create the secret manually this is the error i am facing

Error from server (BadRequest): error when creating “xxx.yaml”: Secret in version “v1” cannot be handled as a Secret: v1.Secret.ObjectMeta: v1.ObjectMeta.TypeMeta: Kind: Data: decode base64: illegal base64 data at input byte 0, error found in #10 byte of …| --plain)"},“kind”:"|…, bigger context …|oppler secrets get ELASTIC_CERTS_P12 --plain)"},“kind”:“Secret”,“metadata”:{“name”:"elastic-cert|…

BTW I stored the encode .p12 in doppler

This is the YAML file i am using

This is not a open source project

Hi @naga,

You’re getting that error because Kubernetes is trying to parse the text $(doppler secrets get ELASTIC_CERTS_P12 --plain) as the actual secret value.

My example used a bash command to dynamically create the YAML file which is why it was able to insert the secret value into the YAML.

If you wanted the flow of saving the YAML file, then applying to Kubernetes, it would look like this:

Step 1. Create elastic-certificates.yaml file

cat << EOF > elastic-certificates.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: elastic-certificates
data:
  elastic-certificates.p12: $(doppler secrets get ELASTIC_CERTS_P12 --plain)
EOF

Step 2. Apply in Kubernetes

kubectl apply -f elastic-certificates.yaml

If you go this route, ensure your script also removes the created secrets YAML file.

Thank you very much @ryan-blunden its working now, can we achieve the same thing with operator ?

Hi @naga,

I’ve added an engineering task to the backlog for how we can potentially support already base64 encoded secrets for the Operator and will reach out once I know more.

Thank you @ryan-blunden for the update

Hi @naga,

I’m excited to let you know that we just shipped a new version of the operator that has a processor for Base64: Release v1.1.0 · DopplerHQ/kubernetes-operator · GitHub

The Base64 processor can be used to load your Base64-formatted Doppler secrets as a binary value into your managed Kubernetes secret. You can read more on how to use this here: kubernetes-operator/processors.md at main · DopplerHQ/kubernetes-operator · GitHub

Hi @naga,

I just published a tutorial for using the Kubernetes Operator to sync PKCS12 secrets.

This uses processors feature of the Kubernetes Operator to avoid double base64 encoding the certificate.

Would love to get your feedback!