In Doppler we’ve set up a project per application. All projects need to be synced to our k8s cluster. Since service tokens are scoped to a single config, we have a lot of service tokens to deal with. I’m wondering if there are some best practices in pulling in these configs.
We have a project in Doppler name “k8s” where per stage (dev, stg, prd) we store the service tokens for each Doppler config with a
DST_ prefix per key like such:
# staging DST_APP_1: dp.st.stg.xxxxxxxxxxxxxxxxxx DST_APP_2: dp.st.stg.yyyyyyyyyyyyyyyyyy DST_APP_3: dp.st.stg.zzzzzzzzzzzzzzzzzz
Kubernetes fetches these keys though an
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: doppler-service-tokens spec: secretStoreRef: kind: SecretStore name: doppler-auth-api target: name: doppler-service-tokens dataFrom: - find: path: DST_
Each app will need its own
SecretStore which will grab the correct service token:
apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: "app1-secret-store" spec: provider: doppler: auth: secretRef: dopplerToken: namespace: default name: doppler-service-tokens key: "DST_APP_1"
To be honest, I would prefer to have just one service token which the cluster could use the pull secrets from Doppler as our current approach will probably lead to an explosion of service tokens which becomes tedious to manage. I could perhaps use a personal access token, but then I would still need to create a
SecretStore per application.
How are others doing this?