GitOps, K8s, Doppler & Disaster recovery

Hello there,

Open discussion about how Doppler could fit and improve my existing setup.

Currently, 1 Kubernetes cluster has between 10 and 15 micro-services (1 per namespace).
In the cluster, Sealed secret operator is installed. Each project deployment has secrets encrypted using the SealedSecret key. Updating a secret means using the key, creating a secret, converting it to a SealedSecret CRD, deleting the original secret etc. Quite long and annoying to update values for anyone.

Now, Doppler could be useful because any devs/ops would just have to update the value in to see it reflects on the application running (instead of encrypting it manually, commit and pushing to a repo).

With doppler, it requires a token scoped to a project/env to then create K8s secrets with the correct values.
How can I automatize these secrets creation? To avoid running doppler setup choosing the right project/env, and then running kubectl create secret generic doppler-token-secret --namespace doppler-operator-system --from-literal=serviceToken=$(doppler configs tokens create doppler-kubernetes-operator --plain) for each micro-service.
I am starting to think about keeping SealedSecret to encrypt the doppler auth tokens… But it seems counter-productive.

I am looking for the closest possible to IaC workflow, in order to automatise cluster creation, moving an app to a different cluster or recreating as fast as possible a cluster in case of disaster.

Let me know what you think about it,

Hi @Francois,

Welcome to the Doppler Community!

You can pass in --project and --config to the command you’re using there to generate the token like this:

kubectl create secret generic doppler-token-secret-service-foo --namespace 
doppler-operator-system --from-literal=serviceToken=$(doppler configs 
tokens create --project foo --config prd doppler-kubernetes-operator --plain)

That would let you generate the tokens you need. If you happen to be using Terraform, then you can use this resource to generate service tokens as well.

Does that help? Let me know if you have any other questions!


Hello @watsonian,
Thanks for your answer!

That’s nice, so I can automate it a bit more :smiley:

When is it best to generate such token when you deploy a new project?

Before the deployment in a pipeline you make sure the secret exists, otherwise, generate it?

And how can it be integrated into a GitOps workflow? With ArgoCD or FluxCD?

Hope it is not too many questions haha ^^


Hi @Francois,

Honestly, that depends a lot on your particular setup and workflow. If you manage things through Terraform, then that’s an obvious place where you can generate tokens (and it will take care of generating if the token doesn’t exist already). If you’re not using Terraform, then you could certainly automate it through some kind of CI/CD workflow that reads some kind document (e.g., JSON/YAML) that describes your Doppler environment and then updates Doppler accordingly via the API (or by running Terraform, for example).

If you aren’t already, I’d probably recommend using Terraform for this since it’s designed to do pretty much exactly what you’re looking for. You can either automate runs in a CI/CD system or use their Terraform Cloud service.

Does that help at all?

It helps a lot! Thanks for your comments :slight_smile: