watsonian
commented
1 year ago Hi @a-nldisr! Actually, this is already supported! We added it in #23 back in August, but didn't widely advertise it because using Personal Tokens can be dangerous from a permissions perspective. Now that Service Account Tokens are available though, we've updated our docs to show this new format. Here's an example:
apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
name: dopplersecret-test # DopplerSecret Name
namespace: doppler-operator-system
spec:
tokenSecret: # Kubernetes service token secret (namespace defaults to doppler-operator-system)
name: doppler-token-secret
project: your-project-name-here
config: your-config-name-here
managedSecret: # Kubernetes managed secret (will be created if does not exist)
name: doppler-test-secret
namespace: default # Should match the namespace of deployments that will use the secret
As I understand how Doppler now works is that a service token gives access to a single branch config, this way tokens and branch config locations are tightly coupled without any need from the user to specify where the branch config is located.
This way the operator knows where to fetch the secrets. Service accounts however can be used to fetch secrets from many configs. I suspect we need to configure through the DopplerSecret where to fetch the config/secrets from but this would require changes, is this assumption correct?