Deployed 71251633d to main with MkDocs 1.6.1 and mike 1.2.0.dev0

main/api/spec/index.html

@@ -8245,7 +8245,8 @@ External Secrets meta/v1.SecretKeySelector
 <a href="#external-secrets.io/v1.DopplerProvider">DopplerProvider</a>)
 </p>
 <p>
-<p>DopplerAuth defines the authentication method for the Doppler provider.</p>
+<p>DopplerAuth configures authentication with the Doppler API.
+Exactly one of secretRef or oidcConfig must be specified.</p>
 </p>
 <table>
 <thead>
@@ -8265,6 +8266,22 @@ DopplerAuthSecretRef
 </em>
 </td>
 <td>
+<em>(Optional)</em>
+<p>SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>oidcConfig</code></br>
+<em>
+<a href="#external-secrets.io/v1.DopplerOIDCAuth">
+DopplerOIDCAuth
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.</p>
 </td>
 </tr>
 </tbody>
@@ -8303,6 +8320,62 @@ The Key attribute defaults to dopplerToken if not specified.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1.DopplerOIDCAuth">DopplerOIDCAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1.DopplerAuth">DopplerAuth</a>)
+</p>
+<p>
+<p>DopplerOIDCAuth configures OIDC authentication with Doppler using Kubernetes ServiceAccount tokens.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>identity</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Identity is the Doppler Service Account Identity ID configured for OIDC authentication.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>serviceAccountRef</code></br>
+<em>
+<a href="https://pkg.go.dev/github.com/external-secrets/external-secrets/apis/meta/v1#ServiceAccountSelector">
+External Secrets meta/v1.ServiceAccountSelector
+</a>
+</em>
+</td>
+<td>
+<p>ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>expirationSeconds</code></br>
+<em>
+int64
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ExpirationSeconds sets the ServiceAccount token validity duration.
+Defaults to 10 minutes.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1.DopplerProvider">DopplerProvider
 </h3>
 <p>

main/provider/doppler/index.html

@@ -3624,6 +3624,34 @@
     </span>
   </a>
   
+    <nav class="md-nav" aria-label="Authentication">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#service-token-authentication" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Service Token Authentication
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#oidc-authentication" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        OIDC Authentication
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
       
         <li class="md-nav__item">
@@ -4889,6 +4917,34 @@
     </span>
   </a>
   
+    <nav class="md-nav" aria-label="Authentication">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#service-token-authentication" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Service Token Authentication
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#oidc-authentication" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        OIDC Authentication
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
       
         <li class="md-nav__item">
@@ -5000,6 +5056,11 @@
 <h2 id="doppler-secretops-platform">Doppler SecretOps Platform</h2>
 <p>Sync secrets from the <a href="https://www.doppler.com/">Doppler SecretOps Platform</a> to Kubernetes using the External Secrets Operator.</p>
 <h2 id="authentication">Authentication</h2>
+<p>Doppler supports two authentication methods:</p>
+<blockquote>
+<p><strong>NOTE:</strong> When using a <code>ClusterSecretStore</code>, be sure to set <code>namespace</code> in <code>secretRef.dopplerToken</code> (for token auth) or <code>serviceAccountRef</code> (for OIDC auth).</p>
+</blockquote>
+<h3 id="service-token-authentication">Service Token Authentication</h3>
 <p>Doppler <a href="https://docs.doppler.com/docs/service-tokens">Service Tokens</a> are recommended as they restrict access to a single config.</p>
 <p><img alt="Doppler Service Token" src="../../pictures/doppler-service-tokens.png" /></p>
 <blockquote>
@@ -5026,9 +5087,38 @@
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">doppler-token-auth-api</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dopplerToken</span>
 </code></pre></div>
-<blockquote>
-<p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, be sure to set <code>namespace</code> in <code>secretRef.dopplerToken</code>.</p>
-</blockquote>
+<h3 id="oidc-authentication">OIDC Authentication</h3>
+<p>For OIDC authentication, you'll need to configure a Doppler <a href="https://docs.doppler.com/docs/service-account-identities">Service Account Identity</a> and create a Kubernetes ServiceAccount.</p>
+<p>First, create a Kubernetes ServiceAccount:</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">doppler-oidc-sa</span>
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
+</code></pre></div>
+<p>Next, create a Doppler Service Account Identity with:
+- <strong>Issuer</strong>: Your cluster's OIDC discovery URL
+- <strong>Audience</strong>: The resource-specific audience for the SecretStore (<code>secretStore:&lt;namespace&gt;:&lt;storeName&gt;</code> or <code>clusterSecretStore:&lt;storeName&gt;</code>), e.g. <code>secretStore:external-secrets:doppler-oidc-sa</code> or <code>clusterSecretStore:doppler-auth-api</code>
+- <strong>Subject</strong>: The Kubernetes ServiceAccount (<code>system:serviceaccount:&lt;serviceAccountNamespace&gt;:&lt;serviceAccountName&gt;</code>), e.g. <code>system:serviceaccount:external-secrets:doppler-oidc-sa</code></p>
+<p>Then configure the SecretStore:</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">doppler-auth-api</span>
+<span class="nt">spec</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">doppler</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">oidcConfig</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">identity</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;00000000-0000-0000-0000-000000000000&quot;</span>
+<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">doppler-oidc-sa</span>
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
+<span class="w">            </span><span class="c1"># expirationSeconds defaults to 600 if not supplied</span>
+<span class="w">            </span><span class="c1"># expirationSeconds: 600</span>
+<span class="w">      </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-project</span>
+<span class="w">      </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-config</span>
+</code></pre></div>
 <h2 id="use-cases">Use Cases</h2>
 <p>The Doppler provider allows for a wide range of use cases:</p>
 <ol>

main/snippets/doppler-oidc-secret-store.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: doppler-auth-api
+spec:
+  provider:
+    doppler:
+      auth:
+        oidcConfig:
+          identity: "00000000-0000-0000-0000-000000000000"
+          serviceAccountRef:
+            name: doppler-oidc-sa
+            namespace: external-secrets
+            # expirationSeconds defaults to 600 if not supplied
+            # expirationSeconds: 600
+      project: my-project
+      config: my-config