feat: add Doppler OIDC-based authentication#5475
Merged
Skarlso merged 5 commits intoexternal-secrets:mainfrom Dec 11, 2025
Merged
feat: add Doppler OIDC-based authentication#5475Skarlso merged 5 commits intoexternal-secrets:mainfrom
Skarlso merged 5 commits intoexternal-secrets:mainfrom
Conversation
59cda82 to
31c9317
Compare
31c9317 to
6e4ea65
Compare
Contributor
Author
|
The latest force-push correctly the regenerates |
Contributor
|
Hi! Could you please take care of the 2 Sonar issues? 🙇 Thanks! |
| dopplerOIDCPath = "/v3/auth/oidc" | ||
| ) | ||
|
|
||
| type OIDCTokenManager struct { |
Contributor
There was a problem hiding this comment.
I love that you wrote an OIDC handler. I dont love that its only for doppler. I think we should support well-known lookup via OIDC config. @Skarlso wdyt about this whole ordeal?
Contributor
There was a problem hiding this comment.
I think that's a great idea, and will certainly be something to look at once I see another OIDC setup. :))
5 tasks
0c56601 to
fcae74d
Compare
|
da0bec2 to
0b0d312
Compare
Contributor
Author
|
This new Sonar issue should be accepted/ignored, since fixing it would require changing the |
jakobmoellerdev
previously approved these changes
Dec 2, 2025
Contributor
|
I don't know why the sonar stuff suddenly started to pop up everywhere. I'll see if I can ignore it globally. Could you please fix the client issue though? ( GitHub security bot issue ). |
Contributor
Author
@Skarlso This issue ( |
0b0d312 to
8e59609
Compare
Contributor
Author
|
@Skarlso @jakobmoellerdev The latest force-push rebases onto the latest main and fixes a linting issue. |
Contributor
|
I can't fix your branch for some reason. Maybe you disallowed edits from maintainers ( which is weird because I can see it on the right side ). Anyways, you need to sort the imports on a couple of files in the doppler folder and also run go mod tidy. And then run |
c0d594c to
ab8a80f
Compare
Contributor
Author
@Skarlso Strange, I didn't disallow edits and I also see it enabled on the right. No worries though, I've done so and fixed the linter issue. |
Signed-off-by: Mike Sellitto <mike.sellitto@doppler.com>
Signed-off-by: Mike Sellitto <mike.sellitto@doppler.com>
Signed-off-by: Mike Sellitto <mike.sellitto@doppler.com>
Signed-off-by: Mike Sellitto <mike.sellitto@doppler.com>
ab8a80f to
77e1ea2
Compare
Contributor
|
@mikesellitto Perfect! Thanks very much. :) |
|
Skarlso
approved these changes
Dec 11, 2025
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Dec 20, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.1.1` -> `1.2.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0) [Compare Source](external-secrets/external-secrets@v1.1.1...v1.2.0) Image: `ghcr.io/external-secrets/external-secrets:v1.2.0` Image: `ghcr.io/external-secrets/external-secrets:v1.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.2.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: bump 1.1.1 by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5687](external-secrets/external-secrets#5687) - chore: fix the argocd e2e test case by [@​Skarlso](https://github.com/Skarlso) in [#​5688](external-secrets/external-secrets#5688) - feat(provider): add Barbican provider support by [@​rkferreira](https://github.com/rkferreira) in [#​5398](external-secrets/external-secrets#5398) - docs(secretserver): promote secretserver provider to beta by [@​DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#​5668](external-secrets/external-secrets#5668) - feat(controller): add flag to enable/disable secretstore reconcile by [@​Ilhan-Personal](https://github.com/Ilhan-Personal) in [#​5653](external-secrets/external-secrets#5653) - fix(aws-secrets-manager): Apply filtering based on both name and tags if provided by [@​iypetrov](https://github.com/iypetrov) in [#​5685](external-secrets/external-secrets#5685) - fix(gcpsm): SecretExists should check for regional secrets when store location is specified by [@​tokiwong](https://github.com/tokiwong) in [#​5708](external-secrets/external-secrets#5708) - feat: introduce store deprecation by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5711](external-secrets/external-secrets#5711) - feat(charts): add global values for common deployment configurations by [@​Gabryel8818](https://github.com/Gabryel8818) in [#​5652](external-secrets/external-secrets#5652) - feat: add Doppler OIDC-based authentication by [@​mikesellitto](https://github.com/mikesellitto) in [#​5475](external-secrets/external-secrets#5475) - fix: make custom configuration available regardless of environment by [@​Skarlso](https://github.com/Skarlso) in [#​5713](external-secrets/external-secrets#5713) - chore(chart): update bitwarden dependency to v0.5.2 by [@​Skarlso](https://github.com/Skarlso) in [#​5719](external-secrets/external-secrets#5719) - docs(templating): update rbac for generic targets by [@​lostick](https://github.com/lostick) in [#​5736](external-secrets/external-secrets#5736) - fix(testing): Breaking changes should not break ci by [@​evrardjp](https://github.com/evrardjp) in [#​5739](external-secrets/external-secrets#5739) - fix(security): Get rid of getSecretKey by [@​evrardjp](https://github.com/evrardjp) in [#​5738](external-secrets/external-secrets#5738) - fix(aws): parse resource policies into canonical JSON (sorted) before comparing by [@​cmoscofian](https://github.com/cmoscofian) in [#​5622](external-secrets/external-secrets#5622) - docs: Fix example in GCP documentation by [@​headcr4sh](https://github.com/headcr4sh) in [#​5745](external-secrets/external-secrets#5745) - chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by [@​DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#​5742](external-secrets/external-secrets#5742) - fix(gcpsm): Improve SecretExists method in GCP secret manager provider by [@​tosih](https://github.com/tosih) in [#​5610](external-secrets/external-secrets#5610) - chore(docs): add clarification to helm values being disabled by [@​Skarlso](https://github.com/Skarlso) in [#​5746](external-secrets/external-secrets#5746) - fix(release): apply [`64dc681`](external-secrets/external-secrets@64dc681) to release by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5749](external-secrets/external-secrets#5749) - docs(release): 1.2 stability-support.md by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5750](external-secrets/external-secrets#5750) ##### Dependencies - chore(deps): bump golang from 1.25.4 to 1.25.5 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5693](external-secrets/external-secrets#5693) - chore(deps): bump golang from 1.25.4-bookworm to 1.25.5-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5702](external-secrets/external-secrets#5702) - chore(deps): bump ubi9/ubi from `dcd8128` to `75937d9` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5655](external-secrets/external-secrets#5655) - chore(deps): bump peter-evans/slash-command-dispatch from 5.0.0 to 5.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5695](external-secrets/external-secrets#5695) - chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5696](external-secrets/external-secrets#5696) - chore(deps): bump actions/stale from 10.1.0 to 10.1.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5697](external-secrets/external-secrets#5697) - chore(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5700](external-secrets/external-secrets#5700) - chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5698](external-secrets/external-secrets#5698) - chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5699](external-secrets/external-secrets#5699) - chore(deps): bump platformdirs from 4.5.0 to 4.5.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5705](external-secrets/external-secrets#5705) - chore(deps): bump distroless/static from `87bce11` to `4b2a093` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5692](external-secrets/external-secrets#5692) - chore(deps): bump alpine from 3.22 to 3.23 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5703](external-secrets/external-secrets#5703) - chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5704](external-secrets/external-secrets#5704) - chore(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5706](external-secrets/external-secrets#5706) - chore(deps): bump alpine from 3.22.2 to 3.23.0 in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5701](external-secrets/external-secrets#5701) - chore(deps): bump golang from `2611181` to `2611181` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5721](external-secrets/external-secrets#5721) - chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5725](external-secrets/external-secrets#5725) - chore(deps): bump urllib3 from 2.6.0 to 2.6.2 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5730](external-secrets/external-secrets#5730) - chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5726](external-secrets/external-secrets#5726) - chore(deps): bump anchore/sbom-action from 0.20.10 to 0.20.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5724](external-secrets/external-secrets#5724) - chore(deps): bump tornado from 6.5.2 to 6.5.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5732](external-secrets/external-secrets#5732) - chore(deps): bump ubi9/ubi from `75937d9` to `d4feb57` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5722](external-secrets/external-secrets#5722) - chore(deps): bump golang from `5117d68` to `09f53de` in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5729](external-secrets/external-secrets#5729) - chore(deps): bump alpine from `4b7ce07` to `51183f2` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5694](external-secrets/external-secrets#5694) - chore(deps): bump hashicorp/setup-terraform from [`712b439`](external-secrets/external-secrets@712b439) to [`071811a`](external-secrets/external-secrets@071811a) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5727](external-secrets/external-secrets#5727) - chore(deps): bump pymdown-extensions from 10.18 to 10.19.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5731](external-secrets/external-secrets#5731) - chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5728](external-secrets/external-secrets#5728) - chore(deps): bump actions/cache from 4.3.0 to 5.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5723](external-secrets/external-secrets#5723) #### New Contributors - [@​iypetrov](https://github.com/iypetrov) made their first contribution in [#​5685](external-secrets/external-secrets#5685) - [@​tokiwong](https://github.com/tokiwong) made their first contribution in [#​5708](external-secrets/external-secrets#5708) - [@​Gabryel8818](https://github.com/Gabryel8818) made their first contribution in [#​5652](external-secrets/external-secrets#5652) - [@​mikesellitto](https://github.com/mikesellitto) made their first contribution in [#​5475](external-secrets/external-secrets#5475) - [@​lostick](https://github.com/lostick) made their first contribution in [#​5736](external-secrets/external-secrets#5736) - [@​cmoscofian](https://github.com/cmoscofian) made their first contribution in [#​5622](external-secrets/external-secrets#5622) - [@​headcr4sh](https://github.com/headcr4sh) made their first contribution in [#​5745](external-secrets/external-secrets#5745) - [@​tosih](https://github.com/tosih) made their first contribution in [#​5610](external-secrets/external-secrets#5610) **Full Changelog**: <external-secrets/external-secrets@v1.1.1...v1.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2737 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
johnstonmatt
added a commit
to johnstonmatt/external-secrets
that referenced
this pull request
Jan 28, 2026
This commit adds OIDC authentication support to the Pulumi provider, allowing External Secrets Operator to authenticate with Pulumi ESC using Kubernetes ServiceAccount tokens instead of static access tokens. Changes: - Add PulumiAuth type with support for both accessToken and oidcConfig - Add PulumiOIDCAuth type for OIDC configuration - Implement OIDCTokenManager for token exchange with Pulumi API - Add caching support for OIDC-authenticated clients - Add InitializeFlags function for cache configuration - Update provider to support both authentication methods - Maintain backward compatibility with deprecated accessToken field - Add comprehensive tests for OIDC functionality - Update CRDs with new authentication options - Add documentation and example YAML snippets The implementation follows the same pattern as the Doppler provider (PR external-secrets#5475) for consistency across the codebase. Key features: - Token caching with automatic refresh - Support for both SecretStore and ClusterSecretStore - Configurable token expiration (default 10 minutes) - Proper error handling and validation - LRU cache for OIDC clients Signed-off-by: Matt Johnston <mattjo@supabase.io>
This was referenced Jan 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
The Doppler provider in ESO currently only supports token-based authentication. Doppler has added OIDC authentication functionality to the product, but ESO currently has no simple way to utilize it.
Related Issue
Fixes #4352
Proposed Changes
This PR adds OIDC authentication support to the Doppler provider, allowing ESO to authenticate with Doppler without using static credentials.
Specifically, it:
oidcConfigfield to the Doppler provider's auth config (mutually exclusive with the existingsecretRefauth).--doppler-oidc-cache-sizeflag, which controls the LRU cache size for OIDC-authenticated Doppler clients.Checklist
git commit --signoffmake testmake reviewable