Can we integrate kubernetes .pem and .yaml based secrets to doppler?

How can we integrate regular kubernetes .pem and .yaml file-based secrets to doppler format. How are we handling volume mounts and subpaths

Hi @naga and welcome to the Doppler community!

I’m putting together a response for you as we don’t have exact documentation for what you’re asking.

Back soon!

Hey @naga,

This stuff can be tricky and Kubernetes is so flexible that I’ve included a lot of detail and options for you below. Please let me know which of the following is the best solution for you and I’ll make sure we update our docs to be more comprehensive.

NOTE: The following code samples require bash as they use process substitution which allows stdout to be captured and fed into a file descriptor.

Let me know if that’s not the shell you’re using.


PEM Files

When you say “regular Kubernetes .pem”, are you referring to a TLS secret, or just a secret containing a certificate or key?

Presuming you have two separate secrets storing the certificate and key (CERT_PEM and KEY_PEM in this example), you could create a TLS secret with:

kubectl create secret tls doppler-test --cert <(doppler secrets get CERT_PEM --plain) --key <(doppler secrets get KEY_PEM --plain)

Or if you wanted to create a secret using a single PEM file, just use a regular secret:

kubectl create secret generic doppler-secrets-pem-file <(doppler secrets get CERT_PEM --plain) 

Are you sure you need a secrets manifest file?

Doppler eliminates the need for secret manifest files in most cases as you can simply feed in secret values directly to the kubectl create secret command. Here are some examples.

YAML

kubectl create secret generic doppler-secrets-yaml-file --from-file=<(doppler secrets download --no-file --format yaml) # YAML

JSON format

kubectl create secret generic doppler-secrets-json-file --from-file=<(doppler secrets download --no-file --format json) # JSON

.env file

kubectl create secret generic doppler-secrets-env-file --from-file=<(doppler secrets download --no-file --format env)

Or creating a secret with key=value pairs:

kubectl create secret generic doppler-secrets-key-val --from-env-file <(doppler secrets download --no-file --format docker) 

If you definitely want a manifest file

If you’re still needing to use a manifest, I’d recommend using a kustomize generator which could be used like the following:

# Dynamically created for the sake of this example but this file would normally be added to source control
cat <<EOF >./kustomization.yaml
secretGenerator:
- name: doppler-secret-kustomize
  files:
  - secrets.json
generatorOptions:
  disableNameSuffixHash: true  
EOF

# Generate secret manifest
doppler secrets download --no-file --format json > secrets.json
kubectl kustomize ./ > secret.yaml

# Create secret
kubectl apply -f secret.yaml

# Clean up
rm -f secrets.json secret.yaml

Volume mounts

Doppler simply aids in the creation of Kubernetes secrets so volume mounts are done in the usual way.

For example, extending the example above that uses kustomize, here is how you could mount the contents of the secrets.json file in the container:

apiVersion: v1
kind: Pod
metadata:
  name: doppler-secret-mount
spec:
  restartPolicy: Never
  containers:
    - name: doppler-secret-mount
      image: alpine
      # Cat the file for testing purposes only!
      args: ["cat", "/usr/src/app/.secrets.json"]
      volumeMounts:
        - name: secret-volume
          readOnly: true
          mountPath: /usr/src/app/
  volumes:
    - name: secret-volume
      secret:
        secretName: doppler-secret-kustomize
        items:
          - key: secrets.json
            path: .secrets.json