How to manage Docker imagePullSecrets from doppler

Hi,

I am trying to see if i can store my docker secrets in doppler and pull. Here is what i am looking for

there is a docker secret which i included in the helm chart as a secret.yaml file and it contains base64 encoded artifactory credentials to pull the images from private registry during helm install. since currently if there is any update in the credentials i need to get the new creds and encode to base64 and update in each and every secret.yaml file.

Is there any way i can manage to update the secret from doppler ?

Here is my secret.yaml file which i included in helm charts but i am trying to manage this secret from doppler can you please help me how i can do it ?

secret.yaml

Hi @naga,

You could use envsubst (part of the gettext package) which takes a file as an input and replaces any matching environment variables inside the file.

Here is an example of how you could achieve what you’re after in a single command, including base64 encoding the secret value from Doppler and creating the secret in Kubernetes without the secret value ever touching the file system.

Your template would be largely the same, but it now has an environment variable placeholder:

apiVersion: v1
data:
    .dockerconfigjson: $ARTIFACTORY_CREDENTIALS_BASE64
kind: Secret
metadata:
  creationTimestamp: null
  name: test-api-docker-secret
type: kubernetes.io/dockerconfigjson

Then to render the YAML with the environment variable substituted and fed to kubectl

ARTIFACTORY_CREDENTIALS_BASE64=$(doppler secrets get ARTIFACTORY_CREDENTIALS --plain | base64) \
envsubst < secret.yaml | kubectl apply -f -

NOTE: You may need to install gettext on the machine you’re running this on.

Let me know how this works out for you.

thank you @ryan-blunden the approach you suggested is working fine but sync is not happening. let’s say if i update the secret in doppler the sync is not happening automatically i need to run this command every time to get the updated value.

ARTIFACTORY_CREDENTIALS_BASE64=$(doppler secrets get ARTIFACTORY_CREDENTIALS --plain | base64)
envsubst < secret.yaml | kubectl apply -f -

Last time for another request you suggested me to use GitHub - DopplerHQ/kubernetes-operator for sync so i am currently using this as well

Hi @naga,

Our Kubernetes operator only supports the ‘Opaque’ type secret at the moment but I’ll speak engineering as to how we could look at supporting the other secret types.

How often do you expect your Artifactory credentials to change?

You could set up a crude sync in the meantime by using something like a scheduled GitHub Action that recreates the secret every 5 mins for example.

Would that satisfy your requirements for now?

Thank you @ryan-blunden we dont change docker secrets often but if you include this feature in upcoming releases that would be more helpful

Hi @naga,

As an experiment, I’ve created an implementation that uses a Kubernetes CronJob to perform automated syncing of the Doppler secret containing Docker registry credentials to a Kubernetes cluster.

The repo is at https://github.com/DopplerHQ/kubernetes-docker-creds-sync

I’d be really interested if you could give this a try as this could be a good interim solution until official support lands in our Kubernetes Operator.

Hi

Not sure if it is the right place to post, but it would be awesome if Doppler could handle other secret Types in Kubernetes such kubernetes.io/dockerconfigjson

Is there maybe a roadmap maybe?

Hi @Francois,

It isn’t yet possible but we’re looking to add support for different secret types in the future.

I’ll be sure to reach out when using a dockerconfigjson secret becomes possible.

Is this feature implemented?

This would be a very valuable feature and allow organizations to rotate keys much more frequently.