feat: sync runtime secrets from doppler

2026-03-09 00:25:41 +00:00
parent e10a70475f
commit 6f2e056b98
20 changed files with 180 additions and 4 deletions
--- a/ansible/roles/doppler-bootstrap/tasks/main.yml
+++ b/ansible/roles/doppler-bootstrap/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: Ensure Doppler service token is provided
+  assert:
+    that:
+      - doppler_hetznerterra_service_token | length > 0
+    fail_msg: doppler_hetznerterra_service_token must be provided for External Secrets bootstrap.
+
+- name: Ensure external-secrets namespace exists
+  shell: kubectl create namespace external-secrets --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+
+- name: Apply Doppler service token secret
+  shell: >-
+    kubectl -n external-secrets create secret generic doppler-hetznerterra-service-token
+    --from-literal=dopplerToken='{{ doppler_hetznerterra_service_token }}'
+    --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -123,6 +123,13 @@
  roles:
    - private-access

+- name: Bootstrap Doppler access for External Secrets
+  hosts: control_plane[0]
+  become: true
+
+  roles:
+    - doppler-bootstrap
+
 - name: Finalize
  hosts: localhost
  connection: local