High Availability

Increase resiliency when using the Doppler CLI in Docker by embedding an encrypted secrets snapshot.

Prerequisites

  • You've run applications in Docker and have experience building Docker images.

Service Tokens

Accessing your secrets in production or CI/CD environments requires a Service Token to provide read-only access to a specific config. It's exposed to the CLI via the DOPPLER_TOKEN environment variable which should be provided by your CI/CD environment, e.g. GitHub Secret.

🚧

Decrypting the snapshot file is only possible if the DOPPLER_TOKEN value at runtime matches the value used at build time or if you use the --passphrase flag when generating it and pass in the correct passphrase when decrypting the snapshot.

Installation

In the rare event that Doppler is down, you can optionally add high availability to your Docker images by creating an encrypted snapshot of the secrets at build time. This also allows images to be built for specific environments that do not require network access to the Doppler API as the Doppler CLI will fall back to the saved encrypted snapshot.

🚧

Using high availability will embed a snapshot of your config's secrets in the image. This image is now dedicated to that config and should not be reused across environments.

Let's see a full example of a Dockerfile with high availability:

FROM alpine

# Install the Doppler CLI
# Does not rely on package managers
# GnuPG package required
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh

# Pass `DOPPLER_TOKEN` at build time to create an encrypted snapshot for high-availability
ARG DOPPLER_TOKEN

# Create encrypted snapshot for high availability
RUN doppler secrets download doppler.encrypted.json

# Fetch secrets and print them using "printenv" command
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--"]
CMD ["your-command-here"]
FROM alpine

# Install the Doppler CLI
# Does not rely on package managers
# GnuPG package required
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh -s -- --verify-signature

# Pass `DOPPLER_TOKEN` at build time to create an encrypted snapshot for high-availability
ARG DOPPLER_TOKEN

# Create encrypted snapshot for high availability
RUN doppler secrets download doppler.encrypted.json

# Fetch secrets and print them using "printenv" command
CMD ["doppler", "run", "--fallback=doppler.encrypted.json", "--", "your-command-here"]

❗️

Use Persistent Storage

The fallback file should always be saved on persistent storage to avoid scenarios where a deployment or restart may occur resulting in the file being lost.

🚧

Hitting Rate Limits?

Fallback files also offer protection against exceeding Doppler API’s 240 requests/minute rate limit which can occur when using images on Serverless infrastructure such as AWS Lambda and CloudRun. We recommend setting the --fallback-only flag on the doppler run command in the ENTRYPOINT under those scenarios.

# Read secrets from the snapshot and print them using "printenv" command
# Fetch secrets and print them using "printenv" command
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--fallback-only", "--"]
CMD ["your-command-here"]
# Read secrets from the snapshot and print them using "printenv" command
CMD ["doppler", "run", "--fallback=doppler.encrypted.json", "--fallback-only", "--", "your-command-here"]

The DOPPLER_TOKEN is then passed in as a build-arg when building the image since it is used as the encryption key for the fallback file:

docker build --build-arg "DOPPLER_TOKEN=$DOPPLER_TOKEN" -t doppler-ha .

Now that you have an image built, the last step is to run it with the DOPPLER_TOKEN. The DOPPLER_TOKEN is needed as it is used to decrypt the fallback file.

docker run -e "DOPPLER_TOKEN=$DOPPLER_TOKEN" doppler-ha

πŸ‘

Amazing Work!

Your secrets in Doppler are now ready to be used in your Docker containers.


Did this page help you?