This guide will show you three production-ready ways of using Doppler for app config and secrets management in Kubernetes:
Prerequites
- Have a Kubernetes instance up and running
- Experience with deploying applications on Kubernetes
Doppler Service Tokens
To access your secrets in live environments, Doppler requires a Service Token to provide read-only access to a specific config and is exposed to the CLI via the DOPPLER_TOKEN
environment variable. This would normally set by the build or deployment environment, e.g. a GitHub Secret for GitHub Actions, but for this guide, we'll provide it manually:
export DOPPLER_TOKEN=dp.st.xxxx
Option 1: Doppler CLI in Docker
This preferred method uses the Doppler CLI installed in your Docker image to inject secrets as environment variables at container runtime. Learn more in our Docker guide.
For this guide we'll use a simple Dockerfile
which uses the Doppler CLI:
FROM alpine
# Install the Doppler CLI
RUN (curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh
# Fetch secrets and print them using "printenv" command
ENTRYPOINT ["doppler", "run", "--"]
CMD ["printenv"] # Used for testing purposes only
Now build the Docker image for later use in our Pod:
docker image build -t doppler-k8s .
Create Kubernetes Secret
Create a Kubernetes secret with a single key, DOPPLER_TOKEN
:
kubectl create secret generic doppler-token --from-literal=DOPPLER_TOKEN=${DOPPLER_TOKEN}
Then describe the secret to ensure it was created successfully:
kubectl describe secret doppler-token
Create Pod
Let's create a Pod that will use the doppler-k8s
Docker image built previously. Save the below Pod spec as doppler-token-pod.yaml
:
apiVersion: v1
kind: Pod
metadata:
name: doppler-token
spec:
restartPolicy: Never
containers:
- name: doppler-token
image: doppler-k8s
imagePullPolicy: IfNotPresent
env:
- name: DOPPLER_TOKEN
valueFrom:
secretKeyRef:
name: doppler-token
key: DOPPLER_TOKEN
Create the Pod by running:
kubectl apply -f doppler-token-pod.yaml
To confirm Doppler fetched your secrets, view the container logs:
kubectl logs doppler-token
You should see a list of environment variables printed containing your secrets.
Cleaning up
To delete the Kubernetes Secret and Pod we created, run:
kubectl delete pod/doppler-token secret/doppler-token
Then delete the Docker image by running:
docker image rm doppler-k8s
Awesome Work!
Now you know how to fetch Doppler secrets in Kubernetes using the Doppler CLI. Keep reading to learn other ways of managing secrets in Kubernetes using Doppler.
Option 2: Container Env Vars
If you're unable to alter your Docker image to use the Doppler CLI, this guide will show you how to use Doppler to create a Kubernetes secret to supply environment variables in your container.
Create Kubernetes Secret
We will create a secret in Kubernetes using a secrets.env
file as input.
kubectl create secret generic doppler-env-vars --from-env-file <(doppler secrets download --no-file --format docker)
Then describe the secret to ensure it was created successfully:
kubectl describe secret doppler-env-vars
The
--format docker
flag also flattens multi-line secrets due to limitations withkubectl
. If you have multi-line secrets, we suggest using the container mounted file option.
Create Pod
Let's create a Pod that will use the doppler-env-vars
secret to create an environment variable for every key defined in the secret's data. Save the below Pod spec as doppler-env-vars-pod.yaml
:
apiVersion: v1
kind: Pod
metadata:
name: doppler-env-vars
spec:
restartPolicy: Never
containers:
- name: doppler-env-vars
image: alpine
args: ["printenv"] # Used for testing purposes only
# Populates every key in the secret as an env var
envFrom:
- secretRef:
name: doppler-env-vars
Create the Pod by running:
kubectl apply -f doppler-env-vars-pod.yaml
To confirm the environment variables were set correctly, view the container logs:
kubectl logs doppler-env-vars
You should see a list of environment variables printed containing your secrets.
Cleaning up
To delete the Kubernetes Secret and Pod we created, run:
kubectl delete pod/doppler-env-vars secret/doppler-env-vars
Awesome Work!
Now you know how to use Doppler to create a Kubernetes secret to supply environment variables to your container. Keep reading to learn how to mount a Doppler created secrets file in Kubernetes.
Option 3: Mounted Container File
If you're unable to alter your Docker image to use the Doppler CLI and your application requires a secrets or config file, this guide will show you how to use Doppler to create a Kubernetes secret to mount as a file inside your container.
Create Kubernetes Secret
For this example, we're mounting a .env
file inside the container, although this approach works equally well for any file type.
kubectl create secret generic doppler-dotenv --from-literal dotenv="$(doppler secrets download --no-file --format env)"
Then describe the secret to ensure it was created successfully:
kubectl describe secret doppler-dotenv
Create Pod
Let's create a Pod that will use the doppler-dotenv
secret to mount the .env
file inside your container. Save the below Pod spec as doppler-dotenv-pod.yaml
:
apiVersion: v1
kind: Pod
metadata:
name: doppler-dotenv
spec:
restartPolicy: Never
containers:
- name: doppler-dotenv
image: alpine
# Cat the file for testing purposes only
args: ["cat", "/usr/src/app/secrets/.env"]
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: /usr/src/app/secrets
volumes:
- name: secret-volume
secret:
secretName: doppler-dotenv
items:
- key: dotenv
path: .env
Create the Pod by running:
kubectl apply -f doppler-dotenv-pod.yaml
To confirm the .env
file was mounted successfully, view the container logs:
kubectl logs doppler-dotenv
You should see the contents of the .env
file as output in the logs.
Cleaning up
To delete the Kubernetes Secret and Pod we created, run:
kubectl delete pod/doppler-dotenv secret/doppler-dotenv
Awesome Work!
Now you know to use Doppler to create a Kubernetes secret to mount as a file inside your container.
Updated 2 months ago