How can we integrate regular kubernetes .pem and .yaml file-based secrets to doppler format. How are we handling volume mounts and subpaths
Hi @naga and welcome to the Doppler community!
I’m putting together a response for you as we don’t have exact documentation for what you’re asking.
Back soon!
Hey @naga,
This stuff can be tricky and Kubernetes is so flexible that I’ve included a lot of detail and options for you below. Please let me know which of the following is the best solution for you and I’ll make sure we update our docs to be more comprehensive.
NOTE: The following code samples require bash as they use process substitution which allows stdout to be captured and fed into a file descriptor.
Let me know if that’s not the shell you’re using.
PEM Files
When you say “regular Kubernetes .pem”, are you referring to a TLS secret, or just a secret containing a certificate or key?
Presuming you have two separate secrets storing the certificate and key (CERT_PEM and KEY_PEM in this example), you could create a TLS secret with:
kubectl create secret tls doppler-test --cert <(doppler secrets get CERT_PEM --plain) --key <(doppler secrets get KEY_PEM --plain)
Or if you wanted to create a secret using a single PEM file, just use a regular secret:
kubectl create secret generic doppler-secrets-pem-file --from-file <(doppler secrets get CERT_PEM --plain)
Are you sure you need a secrets manifest file?
Doppler eliminates the need for secret manifest files in most cases as you can simply feed in secret values directly to the kubectl create secret command. Here are some examples.
YAML
kubectl create secret generic doppler-secrets-yaml-file --from-file=<(doppler secrets download --no-file --format yaml) # YAML
JSON format
kubectl create secret generic doppler-secrets-json-file --from-file=<(doppler secrets download --no-file --format json) # JSON
.env file
kubectl create secret generic doppler-secrets-env-file --from-file=<(doppler secrets download --no-file --format env)
Or creating a secret with key=value pairs:
kubectl create secret generic doppler-secrets-key-val --from-env-file <(doppler secrets download --no-file --format docker)
If you definitely want a manifest file
If you’re still needing to use a manifest, I’d recommend using a kustomize generator which could be used like the following:
# Dynamically created for the sake of this example but this file would normally be added to source control
cat <<EOF >./kustomization.yaml
secretGenerator:
- name: doppler-secret-kustomize
files:
- secrets.json
generatorOptions:
disableNameSuffixHash: true
EOF
# Generate secret manifest
doppler secrets download --no-file --format json > secrets.json
kubectl kustomize ./ > secret.yaml
# Create secret
kubectl apply -f secret.yaml
# Clean up
rm -f secrets.json secret.yaml
Volume mounts
Doppler simply aids in the creation of Kubernetes secrets so volume mounts are done in the usual way.
For example, extending the example above that uses kustomize, here is how you could mount the contents of the secrets.json file in the container:
apiVersion: v1
kind: Pod
metadata:
name: doppler-secret-mount
spec:
restartPolicy: Never
containers:
- name: doppler-secret-mount
image: alpine
# Cat the file for testing purposes only!
args: ["cat", "/usr/src/app/.secrets.json"]
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: /usr/src/app/
volumes:
- name: secret-volume
secret:
secretName: doppler-secret-kustomize
items:
- key: secrets.json
path: .secrets.json
1 Like
Thank you ryan for the details, i am trying to create a secret using the command you provided but it is not working
create a secret using a single PEM file, just use a regular secret:
kubectl create secret generic doppler-secrets-pem-file <(doppler secrets get CERT_PEM --plain)
here is the command and error i am facing
kubectl create secret generic doppler-secrets-pem-file <(doppler secrets get IBM_MONGO_CERT --plain)
error: exactly one NAME is required, got 2
i tried with this command and it got worked
kubectl create secret generic doppler-secrets-pem-file --from-literal ibmcert="$(doppler secrets get IBM_MONGO_CERT --plain)"
but my question is if i update the name value for IBM_MONGO_CERT in Doppler does the change happens ?
i updated the value for this secret name in doppler but it is not reflecting in secret i created.
am i missing something ?
how the sync happens after i create a secret ?
Hi @naga,
here is the command and error i am facing
My original command was missing the --from-file option so the correct command would be:
kubectl create secret generic doppler-secrets-pem-file --from-file <(doppler secrets get IBM_MONGO_CERT --plain)
but my question is if i update the name value for IBM_MONGO_CERT in Doppler does the change happens ?
No, as Kubernetes isn’t aware of where the value for the created secret came from. If you wanted to update the Kubernetes secret to pull in the new value from Doppler manually, you’d use something like this (ignoring the warning):
kubectl create secret generic doppler-secrets-pem-file \
--save-config --dry-run=client \
--from-file <(doppler secrets get IBM_MONGO_CERT --plain) \
-o yaml |
kubectl apply -f -
This is a bit of a hacky solution to work around editing a secret using the interactive kubectl edit secret command.
But…
if you wanted to automate this, we’ve released a preview version of our Kubernetes Operator that is specifically designed to keep Doppler and Kubernetes secrets in sync, as well as optionally automatically redeploying your application if secrets it depends on change.
I would love for you to give this a try and let me know any feedback you have.
Thank you very much @ryan-blunden for the quick response let me check the preview version for kubernetes operator
1 Like
Thank you @ryan-blunden i tested GitHub - DopplerHQ/kubernetes-operator and really it worked very well for my use case i just want to check with you like is there any specific date for GA for this ?
That’s excellent @naga and thanks for testing it out!
We’re looking to release at some point in Q3 once we’ve had sufficient testing from customers and addressed feedback blocking it from being used in production.
If you have any suggested improvements, please create an issue on the Kubernetes Operator repository.
