Doppler Secrets Manager

Doppler Secrets Manager allows you to securely manage and inject secrets directly into your Release environments. Integrating Doppler with Release involves setting up the Doppler Kubernetes Operator to synchronize secrets with Kubernetes and then configuring Release to utilize these secrets for various services and jobs.

Prerequisites

Before you begin, ensure you have:

1. Access to a Release environment with Kubernetes clusters configured.

2. The Release CLI installed and configured.

3. A Doppler account with appropriate service tokens generated.

Setting Up Doppler in Release

Follow these steps to integrate Doppler Secrets Manager with Release.

Set Up Kubeconfig for Your Release Cluster

First, use the Release CLI to generate and configure kubeconfig for your Release cluster:

release clusters kubeconfig --account Release --cluster release-development ./
export KUBECONFIG=./config-release-development.yaml

This command fetches the kubeconfig for your Release cluster and sets it as the current context for kubectl.

Install the Doppler Kubernetes Operator

The Doppler Kubernetes Operator allows secrets to be synced from Doppler into your Kubernetes cluster. To install it, add the Doppler Helm repository and install the operator:

helm repo add doppler https://helm.doppler.com
helm install --generate-name doppler/doppler-kubernetes-operator

Create a Doppler Token Secret in Kubernetes

Next, create a Kubernetes secret with your Doppler service token. This token should have the necessary permissions to access the secrets you intend to use. Run the following command, replacing YOUR_DOPPLER_SERVICE_TOKEN with your actual token:

kubectl create secret generic doppler-token-secret \
  --namespace doppler-operator-system \
  --from-literal=serviceToken=YOUR_DOPPLER_SERVICE_TOKEN

Configure your application in Release to use Doppler Secrets

To configure and link Doppler secrets to services in Release, start by defining the secrets you’ll need from Doppler, pointing each set to a specific Doppler project and configuration. Then, link these secrets to your services using the secrets_from field in each service configuration. This setup enables each service to securely access the exact set of secrets it requires from Doppler.

For example, define a development set of secrets for the Rails project and a development-ai set for an AI project. Each set references a Doppler project and configuration, as shown below:

secrets:
# defines the secrets for the Rails project
- name: development
  type: doppler
  project: rails  # project in doppler
  config: dev     # config in doppler

# defines the secrets for the AI project
- name: development-ai
  type: doppler
  project: ai
  config: dev

Now you can associate these secrets with the appropriate services. The rails service, for instance, can use the development secrets, while an ai-chatbot service accesses the development-ai secrets.

services:
- name: rails
  image: github-org/rails
  secrets_from:
  - development

- name: ai-chatbot
  image: github-org/ai-chatbot
  secrets_from:
  - development-ai

jobs:
- name: chatbot-setup
  image: github-org/rails
  secrets_from:
  - development
  - development-ai
  steps:
  - run: bundle exec rake chatbot:setup

In this example:

The rails service links to the development secrets, which pull from the rails project and dev configuration in Doppler. The ai-chatbot service uses development-ai secrets from the ai project and dev configuration. By defining and linking Doppler secrets in this way, each service has secure, targeted access to only the secrets it needs, simplifying secrets management and enhancing security across your Release environment.

Debugging Doppler Secrets Issues

You may get errors when trying to access secrets from Doppler. To view the logs from the doppler operator, run the following command:

kubectl logs -f deployment/doppler-operator-controller-manager -n doppler-operator-system

This command fetches the logs from the Doppler operator controller manager, allowing you to troubleshoot any issues with secrets synchronization. Common issues include incorrect service account permissions, invalid Doppler service tokens, or misconfigured Doppler projects and configurations.