| ℹ️ This project has been replaced with the Doppler Kubernetes Operator. |
|---|
Automatically sync secrets from Doppler to Kubernetes with auto-reload of Deployments when secrets change.
Deploy the controller by running:
kubectl apply -f doppler-crd-controller.yml
kubectl rollout status -w deployment/doppler-controller --namespace doppler-controllerThe first step is to create a custom DopplerSecret resource, consisting of a name and a Doppler Service Token.
Upon DopplerSecret creation, the controller creates an associated Kubernetes secret, populating it with the secrets fetched from the Doppler API in Key-Value format.
To follow along with an example, update the code below with a real Service Token and save as doppler-secret.yml:
apiVersion: doppler.com/v1
kind: DopplerSecret
metadata:
name: dopplersecret-test # DopplerSecret resource name
spec:
serviceToken: dp.st.dev.XXXX # Change to your Doppler Service Token
secretName: doppler-test-secret # Kubernetes Secret nameThen create the DopplerSecret:
kubectl apply -f doppler-secret.ymlCheck that the associated Kubernetes secret has been created:
# List all Kubernetes secrets created by the Doppler controller
kubectl describe secrets --selector=dopplerSecret=true
# Or to view secret values
./bin/get-secret.sh doppler-test-secretThe controller continuously watches for secret updates from Doppler and when detected, automatically and instantly updates the associated secret.
Next, we'll cover how to configure a deployment to use the Kubernetes secret and enable auto-reloading for Deployments.
To use the secret created by the Controller, we'll use the envFrom field to populate a container's environment variables using the secrets's Key-Value pairs:
envFrom:
- secretRef:
name: mysecret # Matches the DopplerSecret nameAdding automatic and instant reloading of a deployment requires just a single annotation on the Deployment:
annotations:
dopplersecrets.doppler.com/reload: 'true'Let's look at a complete example that uses previously created DopplerSecret. Save the below as doppler-deployment.yml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: doppler-test-deployment
annotations:
dopplersecrets.doppler.com/reload: 'true'
spec:
replicas: 2
selector:
matchLabels:
app: doppler-test
template:
metadata:
labels:
app: doppler-test
spec:
containers:
- name: doppler-test
image: alpine
command: ['/bin/sh', '-c', 'apk add --no-cache tini > /dev/null 2>&1 && printenv | grep -v KUBERNETES_ && tini -s tail -f /dev/null'] # Test by printing env var names
imagePullPolicy: Always
envFrom:
- secretRef:
name: doppler-test-secret # Should match DopplerSecret.spec.secretName
resources:
requests:
memory: '250Mi'
cpu: '250m'
limits:
memory: '500Mi'
cpu: '500m' Create the deployment:
kubectl apply -f doppler-deployment.yml
kubectl rollout status -w deployment/doppler-test-deploymentOnce the Deployment has completed, you can view the logs of the test container, which lists the environment variables (minus those with the KUBERNETES_ prefix):
kubectl logs -lapp=doppler-test NOTE: The
watchbinary is used by the below commands and can be installed on macOS using homebrew withbrew install watch.
This repo contains a couple of handy scripts that give greater visibility into the secret and deployment updating process.
To watch a Doppler owned secret for updates:
# Replace `doppler-test-secret` with your secret name
./bin/get-secret.sh doppler-test-secretTo watch the logs of a running Pod:
# Replace `app=doppler-test` with your deployment label selector
watch ./bin/pod-logs.sh app=doppler-test