External Secrets PushSecret push whole secret?

I’m trying to push a complete secret (i.e all keys) to a JSON string in a single Doppler property. However try as I might I cannot get it to work, the PushSecret reports the secret being synchronized successfully but on the Doppler side all I see is an empty value.

Here is the PushSecret I am using for this, the sensor-tls secret does exist and has keys like ca.pem, sensor-cert.pem and sensor-key.pem. I can tell the PushSecret is doing something since it wipes the existing content but I’m not getting any keys and data showing up, just empty value.

kind: PushSecret
metadata:
name: sensor-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: sensor-tls
namespace: stackrox
data:
- match:
remoteRef:
remoteKey: ACS_SENSOR_TLS

Hi @gnunn!

Welcome to the Doppler Community!

Our Doppler External Secrets provider doesn’t implement what’s required for PushSecrets to work, which is likely why you’re seeing what you’re seeing. The External Secrets Operator is probably making the calls it would typically to the provider and those are resulting in no-ops because it’s not implemented. Currently, we only support one-way syncs to external third parties in our integrations. We might add support for more in the future, but for now, I’m afraid this won’t be possible via the operator.

Regards,
-Joel

It does work though for single values, it looks like it doesn’t support the “property” value though to create nested secrets (i.e a JSON block with various keys) which is super convenient when dealing with certs.

Appreciate the quick reply, I’ll look at what my options are with single properties or other providers.

Interesting. They must have a generic implementation that is partly compatible with our API. I looked at the AWS Parameter Store provider and it appeared to have a specific PushSecret function implemented that ours does not. Definitely get your use case here though! I’ve passed this along to our engineering and product teams for consideration!

Regards,
-Joel