Comments (6)
@jhoelzel The recommended way to accomplish this would be to use Service Accounts. You can give the SA access to whichever configs you're managing in Kubernetes and then a Service Account Token for it will have access to all those configs. You would then use that one token in all your DopplerSecret
CRDs and just reference the project and config name like this:
apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
name: dopplersecret-test
namespace: doppler-operator-system
spec:
tokenSecret:
name: doppler-token-secret
project: your-project-name-here
config: your-config-name-here
managedSecret:
name: doppler-test-secret
namespace: default
That said, Service Accounts are only available on the Team plan or higher. Is that a potential option for you?
from kubernetes-operator.
Thank you for your answer but that only gives acces to all projects at the same time right?
There is no way to create for instance a "staging" and a "production" token where i want to keep the secrets apart fort security reasons, if i am not mistaken?
thanks in advance
from kubernetes-operator.
@jhoelzel Correct. There's no way to provide access to a specific subset of environments on all projects automatically. You can still accomplish that, but you'd need to do it per-project manually. You can automate that via our API though. You can manage it via Terraform as well by using project_member_group and project_member_service_account.
from kubernetes-operator.
ok thank you for this information, i understand and will work around this.
For the future "secretKeyRef" would still be a nice feature for the tokensecret. In clusters where compliance is needed, i really have to separate production from everything else and that will be the easy way to do it =)
from kubernetes-operator.
So i have just finished my prototype for this and summing up it would be much easier to implement "secretKeyRef" on your side than for us to have to maintain what bascially is an operator by itself =)
So for christmas, we hope that our feature-request can make it on the list for sometime next year!
Cheers and thank you for creating doppler
from kubernetes-operator.
Hi, we encountered a similar use case that we needed.
We implemented a custom solution, to ensure that each deployment got access to just one doppler project.
Basically, we created a doppler project name doppler-tokens, where we would store service tokens for individual projects.
So for example if you have project-a and project-b, we would create inside the doppler-tokens project two secrets named PROJECT_A and PROJECT_B and the values would be service tokens for the respective project and config.
We then used external secrets operator to convert each individual key from doppler-tokens into a separate kubernetes secret with a name matching the project name. We then create the doppler secret CRD pointing to the respective secret.
We packaged the whole thing as a helm chart, where we just need to specify the name of the doppler project and the config, and it creates the DopplerSecret CRD automatically.
The only thing we need to do, is when we need to add a new doppler project to be used in the cluster, we need to create a service token for it and store it inside of the doppler-tokens project. This we automated using a simple script using doppler CLI.
Ideally we'd like for this functionality to be available out of the box in the doppler kubernetes operator
from kubernetes-operator.
Related Issues (20)
- Allow DopplerSecret to be deployed to other namespaces HOT 1
- recommended.yaml not available in latest HOT 4
- GCP GKE INFO logs are showing ERROR HOT 5
- Feature request: Service Account support HOT 1
- Forcing DopplerSecret objects to be created in operator namespace breaks namespace isolation HOT 6
- RabbitMQ - default-user-credential-updater using Doppler Secrets HOT 3
- Is there an option to automatically create a new config if it's not found? HOT 1
- Strange double-deployment when doing helm deploy HOT 10
- "Cannot change existing managed secret type from Opaque to ." after upgrading to 1.4.0 HOT 3
- Manage CRDs via Helm HOT 1
- Configure resources for all containers HOT 1
- [Kubernetes] imagePullSecrets: unable to deploy HOT 2
- Set Loglevel HOT 4
- Reconcile algorithm overuses the Doppler API HOT 2
- Can't create managed secret for a project's root config HOT 1
- The operator should allow arbitrary string->string mappings for secrets HOT 2
- Helm Chart dependency `kube-rbac-proxy` deprecation warning HOT 1
- Support custom labels on created Secret HOT 3
- Helm values support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-operator.