This guide will show you how to securely manage secrets for Cloud 66 hosted applications, either by syncing secrets to Cloud 66's environment variables store or injecting environment variables directly into your application using the Doppler CLI.
As Cloud 66 can deploy containerized applications to a Kubernetes cluster, as well as Ruby on Rails and Node.js applications to a Virtual Machine provider, the documentation will be broken up to cover these two deployment targets separately.
- Have an existing application hosted with Cloud 66
- The Cloud 66 Toolbelt CLI installed and configured
- The Doppler CLI is installed
You will need to import your Cloud 66 environment variables to Doppler before continuing as Doppler will now act as the source of truth for app config and secrets for Cloud 66 application environments.
cx env-vars download \
--stack your-stack-name \
--file cloud66-vars.json \
doppler secrets upload cloud66-vars.json
To sync your secrets to Cloud 66 as part of a CI/CD job, the Doppler CLI requires a Service Token to provide read-only access to a specific config and is exposed to the CLI via the
DOPPLER_TOKEN environment variable.
Service Token usage will be covered in greater detail in the following sections.
It's recommended to first review our Docker documentation to get a sense of which option might suit you best in more detail.
When deploying containerized Cloud 66 applications to a Kubernetes cluster, you have two options for supplying secrets as environment variables to your applications:
The Doppler CLI is embedded into the Docker image and uses a Doppler Service Token environment variable named
DOPPLER_TOKEN which is set in Cloud 66 for the specified application.
Then when the container is run, the Doppler CLI fetches the latest version of your secrets and injects them into your application as environment variables.
This is the recommended and simplest approach and your
Dockerfile only needs a couple of small changes to install and configure the Doppler CLI to run your application:
# Install the Doppler CLI
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh
# Use the Doppler CLI inject secrets into your application process
CMD ["doppler", "run", "--", "npm", "start"]
Check out our Docker documentation to learn more, including a complete working example of a
Dockerfile you can use for local testing and educational purposes.
If you're unable to install the Doppler CLI in your Docker image, you'll need to sync secrets from Doppler to Cloud 66 programmatically, usually via CI/CD such as a GitHub Action.
The process for syncing secrets from Doppler to Cloud 66 is the same for both containerized and virtual machine hosted Rails and Node.js apps so we'll cover that in the next section.
If using a Virtual Machine provider such as AWS or DigitalOcean, or containerized application without the Doppler CLI installed, syncing secrets from Doppler to Cloud 66 programmatically, usually via CI/CD such as a GitHub Action is the best solution.
You'll need to expose the Doppler Service Token value as the
DOPPLER_TOKEN environment variable in your CI/CD environment (e.g. GitHub Secret) which the Doppler CLI will use to gain read-only access to the secrets for which the Service Token provided access.
Presuming that your CI/CD environment has the Toolbelt CLI installed and authenticated, your secrets can be synced from Doppler to Cloud 66 with a single command:
cx env-vars upload \
--stack your-stack-name \
--file-type json \
--file <(doppler secrets download --no-file --format json) \
--apply-strategy immediately # You may want to change this to deployment instead
Now you know how to use Doppler to supply secrets to your Cloud 66 applications.
Updated over 2 years ago