Add OIDC authentication support to Doppler provider #2

mikesellitto · 2025-09-08T15:01:32Z

Problem Statement

The Doppler provider in ESO currently only supports token-based authentication. Doppler has added OIDC authentication functionality to their product, but ESO currently has no simple way to utilize it.

Related Issue

Fixes #XXXX

Proposed Changes

This PR adds OIDC authentication support to the Doppler provider, allowing ESO to authenticate with Doppler without using static credentials.

Specifically, it:

Adds a new oidcConfig field to the Doppler provider's auth config (mutually exclusive with the existing secretRef auth).
Adds a new --doppler-oidc-cache-size flag, which controls the LRU cache size for OIDC-authenticated Doppler clients.

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage
All tests pass with make test
I ensured my PR is ready for review with make reviewable

apis/externalsecrets/v1/secretstore_doppler_types.go

config/crds/bases/external-secrets.io_clustersecretstores.yaml

config/crds/bases/external-secrets.io_secretstores.yaml

deploy/crds/bundle.yaml

docs/api/spec.md

docs/snippets/doppler-oidc-secret-store.yaml

pkg/provider/doppler/auth_oidc.go

pkg/provider/doppler/provider.go

emily-curry

Some initial observations. I have not tested locally yet, but I will later today.

docs/snippets/doppler-oidc-secret-store.yaml

pkg/provider/doppler/auth_oidc.go

pkg/provider/doppler/provider.go

emily-curry

I tested this pretty lightly, but it seems solid. Did not test the clusterSecretStore.

Let's not merge this into our fork's main branch. Instead, you can retarget this at a feature branch, and use that for opening the PR upstream, or you can use your own fork for opening the PR. It would be easiest to keep this fork's main branch 1:1 with upstream, though.

docs/snippets/doppler-oidc-secret-store.yaml

docs/provider/doppler.md

emily-curry · 2025-10-07T22:04:54Z

pkg/provider/doppler/auth_oidc.go

+	if m.storeKind == esv1.ClusterSecretStoreKind && oidcAuth.ServiceAccountRef.Namespace != nil {
+		tokenRequest.Namespace = *oidcAuth.ServiceAccountRef.Namespace
+	}


question: Could you explain why this is necessary (and perhaps add a comment)?

By default, we look for the ServiceAccount in the ExternalSecrets namespace. For ClusterSecretStores which can be used across namespaces, we allow explicitly specifying which namespace the ServiceAccount lives in via ServiceAccountRef.Namespace.

I've added this comment in the latest force push:
// For ClusterSecretStores, we use the ServiceAccountRef.Namespace if specified
I could get more specific, but I feel like this is enough to make sense of for reviewers/users who are using a ClusterSecretStore

emily-curry · 2025-10-07T22:12:04Z

pkg/provider/doppler/client.go

+		if doppler, ok := c.doppler.(*dClient.DopplerClient); ok {
+			doppler.DopplerToken = token


check/question: Why is this part necessary? It doesn't look like we were doing this before.

This part is necessary because this DopplerToken is what we use when making requests.

However, you brought my attention to the fact that I was setting c.dopplerToken = token above this, which wasn't necessary since it's only used during initialization of the DopplerClient. That's been removed in the latest force push.

emily-curry · 2025-10-07T22:14:03Z

pkg/provider/doppler/provider.go

+	useCache := dopplerStoreSpec.Auth.OIDCConfig != nil
+
+	key := cache.Key{
+		Name:      store.GetObjectMeta().Name,
+		Namespace: namespace,
+		Kind:      store.GetTypeMeta().Kind,
+	}


nit/optional: We should probably disambiguate any references to caches and keys by including auth/oidc somewhere in the name, in anticipation of also caching secret values.

Good thinking. Done in the latest force push.

emily-curry · 2025-10-07T22:18:39Z

pkg/provider/doppler/provider.go

+		Kind:      store.GetTypeMeta().Kind,
+	}
+
+	if useCache && clientCache != nil {


nit/check: Can we hoist the && clientCache != nil check into useCache?

Yep! Done in the latest force push.

watsonian · 2025-10-14T21:25:33Z

docs/provider/doppler.md

+Next, create a Doppler Service Account Identity with:
+- **Issuer**: Your cluster's OIDC discovery URL
+- **Audience**: The resource-specific audience for the SecretStore (e.g., `secretStore:external-secrets:doppler-auth-api` for a SecretStore or `clusterSecretStore:doppler-auth-api` for a ClusterSecretStore)
+- **Subject**: The Kubernetes ServiceAccount (e.g., `system:serviceaccount:external-secrets:doppler-oidc-sa`)


Could we explain this in terms of a template as well as provide concrete examples? (i.e., secretStore:<namespace>:<secretStoreName> and system:serviceaccount:<namespace>:<serviceAccountName>)

watsonian

Left one comment regarding a slight tweak to the docs I think we should make, but otherwise confirmed everything was working as expected in a local build.

Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Co-authored-by: Gustavo Fernandes de Carvalho <17139678+gusfcarvalho@users.noreply.github.com>

Bumps golang from 1.25.4 to 1.25.5. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e2e (external-secrets#5702) Bumps golang from 1.25.4-bookworm to 1.25.5-bookworm. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…xternal-secrets#5653) Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

…ets#5655) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…0.1 (external-secrets#5695) Bumps [peter-evans/slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/peter-evans/slash-command-dispatch/releases) - [Commits](peter-evans/slash-command-dispatch@e1b4e26...5c11dc7) --- updated-dependencies: - dependency-name: peter-evans/slash-command-dispatch dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…l-secrets#5696) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.5 to 4.31.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@fdbfb4d...cf1bb45) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…ts#5697) Bumps [actions/stale](https://github.com/actions/stale) from 10.1.0 to 10.1.1. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@5f858e3...9971854) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…external-secrets#5700) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@7e473ef...29824e6) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 2.2.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…xternal-secrets#5698) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.2 to 2.13.3. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@95d9a5d...df199fb) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.13.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ets#5699) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…xternal-secrets#5705) Bumps [platformdirs](https://github.com/tox-dev/platformdirs) from 4.5.0 to 4.5.1. - [Release notes](https://github.com/tox-dev/platformdirs/releases) - [Changelog](https://github.com/tox-dev/platformdirs/blob/main/CHANGES.rst) - [Commits](tox-dev/platformdirs@4.5.0...4.5.1) --- updated-dependencies: - dependency-name: platformdirs dependency-version: 4.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…rnal-secrets#5692) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…l-secrets#5703) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…rnal-secrets#5704) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…ets#5706) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

Signed-off-by: Mike Sellitto <mike.sellitto@doppler.com>

… if provided (external-secrets#5685)

… location is specified (external-secrets#5708) Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

…xternal-secrets#5652)

mikesellitto force-pushed the doppler-oidc-auth branch from 34aa022 to 1d9a465 Compare September 8, 2025 15:09

mikesellitto requested review from emily-curry and watsonian September 10, 2025 15:57