Manage your kubernetes secrets securely, directly from the web browser!

Manage your kubernetes secrets securely, directly from the web browser!

Managing secrets in Kubernetes can be a real headache. If you've ever struggled with keeping environment variables secure and up-to-date across multiple clusters, I totally get it. Many of us have faced the hassle of manual secret management, and it's time we found a better way.

I often used to think how much easier things would be if I could manage secrets via the web browser or an API and I finally found something which does exactly that.

In this blog post, I'll introduce you to Doppler, a tool that makes secret management in Kubernetes so much easier. We'll walk through how to implement the Doppler Kubernetes Operator using Helm, step by step. By the end, you'll know what Doppler is, how it works, and how it can help you.

The Challenges of Secret Management in Kubernetes

Kubernetes is a powerful platform, but dealing with secrets can be tough:

  • Manual Processes: Updating secrets by hand takes a lot of time and can lead to mistakes. When you're managing multiple files and environments, it's easy to mess up.
  • Security Risks: If secrets aren't stored properly, sensitive information can leak. This can cause compliance issues and security breaches.
  • Scalability Issues: As your applications grow, keeping secrets consistent across environments gets more complicated.

These problems can slow down your development process and put your data at risk. But there's a solution.


Introducing Doppler

Doppler is a secret management platform designed to simplify how you handle environment variables and secrets. Here's what it offers:

  • Centralized Secret Storage: Keep all your secrets in one secure place.
  • Environment Variable Management: Easily manage variables across development, staging, and production.
  • Team Collaboration Tools: Work smoothly with your team, with proper access controls.
  • Version Control and Audit Logs: Track changes and maintain compliance without hassle.

By integrating Doppler with Kubernetes, you can automate secret management, reduce errors, and improve security.

How Does the Doppler Kubernetes Operator Work?

Before we jump into the setup, let's understand how the Doppler Kubernetes Operator works in your cluster.

In Kubernetes, an Operator is like an assistant that helps manage applications and resources. It uses custom resources and controllers to automate tasks that would otherwise need manual work.

The Doppler Kubernetes Operator connects your Doppler secrets to your Kubernetes cluster. Here's how it works:

  1. Custom Resource Definition (CRD): The operator introduces a new resource type called DopplerSecret. You use this to tell Kubernetes which Doppler project and configuration to sync.
  2. Continuous Syncing: Once you create a DopplerSecret, the operator keeps an eye on your Doppler project. If there are any changes to the secrets, it updates them in Kubernetes automatically.
  3. Automated Updates: The operator updates your Kubernetes secrets whenever something changes in Doppler. This means your applications always have the latest secret values without you having to do anything.
  4. Secure Connection: The operator uses a service token (stored securely in Kubernetes) to access your Doppler account. This keeps the connection between Doppler and your cluster safe. 

By using the operator, you don't have to update secrets manually anymore. It reduces the risk of errors and makes sure all your environments stay in sync.

Doppler Flow
Doppler Flow

Step-by-Step Guide to Implementing Doppler Kubernetes Operator Using Helm

Let's get started with setting up Doppler in your Kubernetes cluster using Helm.

Prerequisites

Before we begin, make sure you have the following:

  • A running Kubernetes cluster
  • Kubernetes command-line tool (kubectl) configured
  • Helm package manager installed
  • A Doppler account with necessary permissions

 Step 1: Install the Doppler Kubernetes Operator Using Helm

First, we'll install the Doppler Kubernetes Operator using Helm.

Add the Doppler Helm Repository:

helm repo add doppler https://helm.doppler.com

Update Helm Repositories:

helm repo update

Install the Operator:

helm install doppler-operator doppler/doppler-operator

This command installs the operator into your Kubernetes cluster.

Step 2: Create a Doppler Service Token

We need to give the operator access to your Doppler secrets.

Generate a Service Token:

  • Log in to your Doppler account through your web browser.
  • Navigate to your project.
  • Go to Settings > Service Tokens.
  • Click on Create Service Token.
  • Give your token a name and select the appropriate scopes.
  • Click Create and copy the generated token. We'll need it in the next step.

 Step 3: Configure Access to Doppler Projects

Now, we'll securely provide the service token to the operator.

Create a Kubernetes Secret for the Doppler Token:

Replace YOUR_DOPPLER_SERVICE_TOKEN with the token you copied earlier.

kubectl create secret generic doppler-token --from-literal=serviceToken=YOUR_DOPPLER_SERVICE_TOKEN

Step 4: Define Secrets to Sync

We'll tell the operator which secrets to sync.

Create a DopplerSecret Custom Resource:

Create a file named dopplersecret.yaml with the following content:

apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
  name: my-doppler-secret
spec:
  project: your-doppler-project
  config: dev
  secretName: doppler-secrets
  serviceTokenSecret:
    name: doppler-token
    key: serviceToken
  • Replace your-doppler-project with your actual project name in Doppler.
  • Replace dev with the configuration you want to use (e.g., staging, production).

Apply the Configuration:

kubectl apply -f dopplersecret.yaml

Step 5: Update Your Kubernetes Deployments

Now, we'll update your application to use the synced secrets.

Create a Complete Deployment File:

Create a file named deployment.yaml with the following content:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:latest
          ports:
            - containerPort: 80
          envFrom:
            - secretRef:
                name: doppler-secrets

This deployment uses the nginx image and pulls in environment variables from the doppler-secrets secret.

Step 6: Verify the Implementation

Let's make sure everything is working.

Check Synced Secrets:

kubectl get secrets kubectl describe secret doppler-secrets

These commands show that the secrets are present and contain the expected data.

Test the Application:

You can port-forward to the nginx service to test it locally:

kubectl port-forward deployment/nginx-deployment 8080:80

Visit http://localhost:8080 in your browser to see the nginx welcome page. While nginx doesn't use environment variables by default, this setup ensures your application has access to the secrets if needed.

Frequently Asked Questions (FAQs)


  1. Can I use Doppler with multiple Kubernetes clusters? 

Yes, you can use Doppler with multiple Kubernetes clusters. You just need to install the Doppler Kubernetes Operator on each cluster and configure them with the appropriate service tokens and DopplerSecret resources.

  1. How does Doppler handle secret rotation?

Doppler automatically syncs any changes to your secrets, including rotations. When you update a secret in Doppler, the operator updates the Kubernetes secret, and your applications will receive the new values.

  1. Is it safe to store the Doppler service token in a Kubernetes secret? 

Yes, storing the service token in a Kubernetes secret is secure, as long as you follow best practices for securing your cluster. Make sure to restrict access to secrets and use role-based access control (RBAC) to limit who can view them.

  1. What happens if the Doppler service is temporarily unavailable?

If Doppler is temporarily unavailable, the operator will retry syncing the secrets until the service is back online. Your existing secrets in Kubernetes will remain unchanged, so your applications should continue running without interruption.

Conclusion

Managing secrets in Kubernetes doesn't have to be a headache. With Doppler and Helm, you can automate the process, improve security, and save time.

We've walked through setting up Doppler in your Kubernetes cluster, from installing the operator to deploying your application with a complete deployment file. By following these steps, you'll have a reliable secret management system that's easy to maintain.

If you haven't tried Doppler yet, I encourage you to give it a shot. It might just make your life a whole lot easier.

Checkout our article on all the new features in Kubernetes 1.30 at: https://www.kubeblogs.com/explore-all-the-new-features-in-kubernetes-1-30/