K8S - Service token management

In Doppler we’ve set up a project per application. All projects need to be synced to our k8s cluster. Since service tokens are scoped to a single config, we have a lot of service tokens to deal with. I’m wondering if there are some best practices in pulling in these configs.

Current design

We have a project in Doppler name “k8s” where per stage (dev, stg, prd) we store the service tokens for each Doppler config with a DST_ prefix per key like such:

# staging
DST_APP_1: dp.st.stg.xxxxxxxxxxxxxxxxxx
DST_APP_2: dp.st.stg.yyyyyyyyyyyyyyyyyy
DST_APP_3: dp.st.stg.zzzzzzzzzzzzzzzzzz

Kubernetes fetches these keys though an ExternalSecret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: doppler-service-tokens
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api

  target:
    name: doppler-service-tokens

  dataFrom:
    - find:
        path: DST_

Each app will need its own ExternalSecret and SecretStore which will grab the correct service token:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: "app1-secret-store"
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            namespace: default
            name: doppler-service-tokens
            key: "DST_APP_1"

To be honest, I would prefer to have just one service token which the cluster could use the pull secrets from Doppler as our current approach will probably lead to an explosion of service tokens which becomes tedious to manage. I could perhaps use a personal access token, but then I would still need to create a SecretStore per application.

How are others doing this?

Hi @boedy!

Welcome to the Doppler Community!

Your method seems pretty sound for now. I suspect most people currently use a personal token. We typically recommend against that unless you’re on our Enterprise plan and have access to custom roles, which would allow you to create a separate user just for this purpose and assign it a custom role with scoped down permissions (since personal token permissions are typically much broader than what you’d want for this).

We are currently working on something that would let you create a single token that has definable permissions that can access multiple projects and configs. Once that’s available, that will be the ideal option. You’ll still have to create a SecretStore per application, but there’s not a great way around that.

So, probably you have two options – either continue on with the method you’re using now or switch to using a personal token (with its accompanied risk) until the feature I mentioned is released (we’re hoping for first quarter of next year).

Sorry that I don’t have better news for you in the short term here!

Regards,
-Joel