Does doppler support the secret of type kubernetes.io/tls?

Hi all,

We are looking for a solution for Kubernetes TLS secret with auto-sync using Doppler Operator. This link kubernetes.io/tls does not help as the managed secret is of type opaque and it has no way to have the keys like tls.cert and tls.key
This makes the update of the tls cert manual. Is there any pan to support this?

Best regards,

Hi Rahul,

Welcome to the Doppler Community!

Doppler definitely supports Kubernetes TLS secrets via the Doppler Operator! What you’re looking for here are Processors. That will allow you to specify whether the secret is already base64 encoded or in plain text, which should let you use PKCS12 certificates without issue. We have a guide showing how to do that here:

Give those a look and let me know if they’re what you were after!

Thanks,
-Joel

Hi again!

Actually, I just realized that wasn’t specifically what you’re after (although it should still let you sync certificates via the Operator, it won’t do so as a kubernetes.io/tls secret). You CAN use Doppler to create those, but I believe it’s only supported when done manually as shown here:

I’ll do some more investigating to see if there’s a way to get the Operator to create TLS secrets and will get back to you!

-Joel

After looking into this quickly, it doesn’t appear as though the Operator has any special handling available for TLS certificates. That said, the kubernetes.io/tls secret type is just a convenience shortcut that creates an Opaque secret with a tls.cert and tls.key entry. There’s no functional difference between using one of those and having an Opaque secret containing the values directly as would happen when using the Operator (with the base64 processor if you’re using a certificate in PKCS12 format.

-Joel

Hello,

thanks for answering. I would still not be able to have the keys as tls.cert and tls.key in the doppler. It would not allow me for it. So, even for an opaque secret, it may not be useful for me if I am looking for a secret with keys tls.cert and tls.key
This leaves me to the manual process of updating the secret every time it changes in the Doppler. I may not have the auto-sync facility using the Operator as the keys are of different formats.
I would love to see this feature support of tls with doppler. It would ease my tls secret update across multiple environments.

let’s say we could create the keys as TLS_CERT and TLS_KEY (or any custom name adherent to your secret naming convention) in the Doppler Project. Doppler Secret would have the mapping section in the “managedSecret” part along with the secret output type. Mapping would contain the source key and destination key (TLS_CERT to tls.cert sort of) and secret output type as “kubernetes.io/tls or opaque as default”.
This would just make the tls management across the environment so much easier with this yearly update of SSL certs.

regards,
Rahul

Hi @rahul_mohan!

Sorry for the long delay getting back to you! I missed your post in my notifications somehow.

Yeah, I see where you’re coming from. We’ve discussed the idea of adding the capability of renaming secrets during syncs in a way that would let you accomplish what you’re after. Right now, I’m afraid adding it isn’t really on our roadmap, so I can’t say when that kind of functionality might make it into Doppler.

For now, your only real options are to either update your tooling to look for TLS_CERT and TLS_KEY entries in the secret or manually update, as you mentioned. Sorry that we don’t have something better for you right now!

Thanks,
-Joel

1 Like

Hi @rahul_mohan,

Hope the yearly updating of your TLS certs went well!

I wanted to ask, how important is it that the secret created would be of type kubernetes.io/tls, as opposed to being an Opaque secret with the tls.cert and tls.key keys?

And when it comes to managing the TLS certificate and key in Doppler, are they in their own isolated project or environment or stored alongside an application’s secrets?

Hi @rahul_mohan,

I wanted to post an update here noting that we’ve added support for kubernetes.io/tls secret types! You can get this in v1.4.0 of our operator (you’ll need to be sure you update the CRD as well since the Helm update won’t do that automatically). More information about how this works is available here:

Let me know if you have any questions!

Regards,
-Joel