High Availability

Prerequisites

  • You've run applications in Docker and have experience building Docker images.

Service Tokens

Accessing your secrets in production or CI/CD environments requires a Service Token to provide read-only access to a specific config. It's exposed to the CLI via the DOPPLER_TOKEN environment variable which should be provided by your CI/CD environment, e.g. GitHub Secret.

Installation

In the rare event that Doppler is down, you can optionally add high availability to your Docker images by creating an encrypted snapshot of the secrets at build time. This also allows images to be built for specific environments that do not require network access to the Doppler API as the Doppler CLI will fallback to the saved encrypted snapshot.

Please note that if you intend to use Doppler without network access during runtime, the DOPPLER_TOKEN will still need to be provided as it is used as the decryption key for the encrypted snapshot.

🚧

Using high availability will embed a snapshot of your config's secrets in the image. This image is now dedicated to that config and should not be reused across environments.

Let's see a full example of a Dockerfile with high availability:

FROM alpine

# Install the Doppler CLI
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh

# Pass `DOPPLER_TOKEN` at build time to create an encrypted snapshot for high-availability
ARG DOPPLER_TOKEN

# Create encrypted snapshot for high availability
RUN doppler secrets download doppler.encrypted.json

# Fetch secrets and print them using "printenv" command
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--"]
CMD ["your-command-here"]
FROM alpine

# Install the Doppler CLI
RUN (curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh

# Pass `DOPPLER_TOKEN` at build time to create an encrypted snapshot for high-availability
ARG DOPPLER_TOKEN

# Create encrypted snapshot for high availability
RUN doppler secrets download doppler.encrypted.json

# Fetch secrets and print them using "printenv" command
CMD ["doppler", "run", "--fallback=doppler.encrypted.json", "--", "your-command-here"]

Please do not store the fallback file in the /tmp directory as it often gets cleaned up at runtime by the infrastructure provider.

🚧

High RPS?

If you are deploying this image to serverless infrastructure like Lambda or CloudRun that results in high RPS (+120 req/min) to Doppler's API, we recommend setting the --fallback-only flag on the doppler run command in the ENTRYPOINT.

# Read secrets from the snapshot and print them using "printenv" command
# Fetch secrets and print them using "printenv" command
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--fallback-only", "--"]
CMD ["your-command-here"]
# Read secrets from the snapshot and print them using "printenv" command
CMD ["doppler", "run", "--fallback=doppler.encrypted.json", "--fallback-only", "--", "your-command-here"]

The DOPPLER_TOKEN is then passed in as a build-arg when building the image since it is used as the encryption key for the fallback file:

docker build --build-arg "DOPPLER_TOKEN=$DOPPLER_TOKEN" -t doppler-ha .

Now that you have an image built, the last step is to run it with the DOPPLER_TOKEN. The DOPPLER_TOKEN is needed as it is used to decrypt the fallback file.

docker run -e "DOPPLER_TOKEN=$DOPPLER_TOKEN" doppler-ha

πŸ‘

Amazing Work!

Your secrets in Doppler are now ready to be used in your Docker containers.


Did this page help you?