Docker Compose

reading time 5 mins

This guide will show you two methods of using Doppler to supply app config and secrets for Docker Compose in production and local development environments.

Option

Usecase

Dockerfile

Installs the Doppler CLI in the Dockerfile.

Container Env Vars

Secrets injected into containers as environment variables.

Prerequisites

  • You've run applications in Docker Compose and have experience building Docker images.

Service Tokens

Accessing your secrets in production or CI/CD environments requires a Service Token to provide read-only access to a specific config. It's exposed to the CLI via the DOPPLER_TOKEN environment variable which should be provided by your CI/CD environment, e.g. GitHub Secret.

Option 1: Dockerfile

This option embeds the Doppler CLI in a Dockerfile and requires the DOPPLER_TOKEN environment variable. Save this as Dockerfile:

FROM ubuntu

# Install Doppler CLI
RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' | apt-key add - && \
    echo "deb https://packages.doppler.com/public/cli/deb/debian any-version main" | tee /etc/apt/sources.list.d/doppler-cli.list && \
    apt-get update && \
    apt-get -y install doppler
    
# Fetch and view secrets using "printenv". Testing purposes only!
# Replace "printenv" with the command used to start your app, e.g. "npm", "start"
CMD ["doppler", "run", "--", "printenv"]
FROM alpine

# Install Doppler CLI
RUN wget -q -t3 'https://packages.doppler.com/public/cli/rsa.8004D9FF50437357.key' -O /etc/apk/keys/[email protected] && \
    echo 'https://packages.doppler.com/public/cli/alpine/any-version/main' | tee -a /etc/apk/repositories && \
    apk add doppler

# Fetch and view secrets using "printenv". Testing purposes only!
# Replace "printenv" with the command used to start your app, e.g. "npm", "start"
CMD ["doppler", "run", "--", "printenv"]
FROM centos

# Install Doppler CLI
RUN rpm --import 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/config.rpm.txt' | tee /etc/yum.repos.d/doppler-cli.repo && \
    yum update -y && \
    yum install -y doppler

# Fetch and view secrets using "printenv". Testing purposes only!
# Replace "printenv" with the command used to start your app, e.g. "npm", "start"
CMD ["doppler", "run", "--", "printenv"]
FROM alpine

# Option 1: Standard
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh

# Option 2: Signature Verification (GnuPG package required)
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh -s -- --verify-signature

# Fetch and view secrets using "printenv". Testing purposes only!
# Replace "printenv" with the command used to start your app, e.g. "npm", "start"
CMD ["doppler", "run", "--", "printenv"]

Then save the below file as docker-compose.yml:

services:
  web:
    build: .
    image: doppler-test-alpine
    container_name: doppler-test
    init: true
    environment:
      - DOPPLER_TOKEN

Production deployments

A Doppler Service Token exposed as the DOPPLER_TOKEN environment variable provides read-only access to a specific config in production environments:

# Expects the `DOPPLER_TOKEN` environment variable
docker-compose up

Local development

For local development, an ephemeral DOPPLER_TOKEN is used:

DOPPLER_TOKEN="$(doppler configs tokens create dev --plain --max-age 1m)" \
docker-compose -f docker-compose.yml up

Option 2: Container Env Vars

Alternatively, you can use the Doppler CLI to supply environment variables to Docker Compose with each container explicitly defining which environment variables they wish to receive.

Here is a docker-compose.yml that will pass on the three standard Doppler environment variables as well as two custom variables:

πŸ“˜

Only environment variables explicitly listed in the environment: map will be passed through to the container.

Make sure you update this list any time you add a new secret to your Doppler project.

services:
  web:
    build: .
    image: alpine
    container_name: doppler-test
    init: true
    environment:
      - API_KEY
      - OTHER_SECRET

Then use the Doppler CLI to inject the environment variables:

doppler run -- docker-compose up

The benefit of this approach is that Docker Compose is run the same in development as it is in production.

πŸ‘

Amazing Work!

Now you know two methods for Doppler to supply app config and secrets for Docker Compose in production and local development environments.


Did this page help you?