K8S - Service token management

boedy · December 22, 2022, 4:18pm

In Doppler we’ve set up a project per application. All projects need to be synced to our k8s cluster. Since service tokens are scoped to a single config, we have a lot of service tokens to deal with. I’m wondering if there are some best practices in pulling in these configs.

Current design

We have a project in Doppler name “k8s” where per stage (dev, stg, prd) we store the service tokens for each Doppler config with a DST_ prefix per key like such:

# staging
DST_APP_1: dp.st.stg.xxxxxxxxxxxxxxxxxx
DST_APP_2: dp.st.stg.yyyyyyyyyyyyyyyyyy
DST_APP_3: dp.st.stg.zzzzzzzzzzzzzzzzzz

Kubernetes fetches these keys though an ExternalSecret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: doppler-service-tokens
spec:
  secretStoreRef:
    kind: SecretStore
    name: doppler-auth-api

  target:
    name: doppler-service-tokens

  dataFrom:
    - find:
        path: DST_

Each app will need its own ExternalSecret and SecretStore which will grab the correct service token:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: "app1-secret-store"
spec:
  provider:
    doppler:
      auth:
        secretRef:
          dopplerToken:
            namespace: default
            name: doppler-service-tokens
            key: "DST_APP_1"

To be honest, I would prefer to have just one service token which the cluster could use the pull secrets from Doppler as our current approach will probably lead to an explosion of service tokens which becomes tedious to manage. I could perhaps use a personal access token, but then I would still need to create a SecretStore per application.

How are others doing this?

watsonian · December 22, 2022, 5:35pm

Hi @boedy!

Welcome to the Doppler Community!

Your method seems pretty sound for now. I suspect most people currently use a personal token. We typically recommend against that unless you’re on our Enterprise plan and have access to custom roles, which would allow you to create a separate user just for this purpose and assign it a custom role with scoped down permissions (since personal token permissions are typically much broader than what you’d want for this).

We are currently working on something that would let you create a single token that has definable permissions that can access multiple projects and configs. Once that’s available, that will be the ideal option. You’ll still have to create a SecretStore per application, but there’s not a great way around that.

So, probably you have two options – either continue on with the method you’re using now or switch to using a personal token (with its accompanied risk) until the feature I mentioned is released (we’re hoping for first quarter of next year).

Sorry that I don’t have better news for you in the short term here!

Regards,
-Joel

Topic		Replies	Views
How to handle service tokens Discussions	1	554	November 22, 2021
GitOps, K8s, Doppler & Disaster recovery Discussions	4	667	July 29, 2022
Kubernetes operator token service account Need Help	2	197	November 10, 2023
Starting with Doppler Discussions	1	222	September 19, 2023
Can we create DopplerSecret with multiple namespaces at a time? Need Help	2	626	November 22, 2021

K8S - Service token management

Current design

Related Topics