Documentation

We are here to help you get from zero to one fast.

Get Started    Discussions

Kubernetes

reading time 10 mins

This guide will show you three production-ready ways of using Doppler for app config and secrets management in Kubernetes:

Prerequites

  • Have a Kubernetes instance up and running
  • Experience with deploying applications on Kubernetes

Doppler Service Tokens

To access your secrets in live environments, Doppler requires a Service Token to provide read-only access to a specific config and is exposed to the CLI via the DOPPLER_TOKEN environment variable. This would normally set by the build or deployment environment, e.g. a GitHub Secret for GitHub Actions, but for this guide, we'll provide it manually:

export DOPPLER_TOKEN=dp.st.xxxx

Option 1: Doppler CLI in Docker

This preferred method uses the Doppler CLI installed in your Docker image to inject secrets as environment variables at container runtime. Learn more in our Docker guide.

For this guide we'll use a simple Dockerfile which uses the Doppler CLI:

FROM alpine

# Install the Doppler CLI
RUN (curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh

# Fetch secrets and print them using "printenv" command
ENTRYPOINT ["doppler", "run", "--"]
CMD ["printenv"] # Used for testing purposes only

Now build the Docker image for later use in our Pod:

docker image build -t doppler-k8s .

Create Kubernetes Secret

Create a Kubernetes secret with a single key, DOPPLER_TOKEN:

kubectl create secret generic doppler-token --from-literal=DOPPLER_TOKEN=${DOPPLER_TOKEN}

Then describe the secret to ensure it was created successfully:

kubectl describe secret doppler-token

Create Pod

Let's create a Pod that will use the doppler-k8s Docker image built previously. Save the below Pod spec as doppler-token-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: doppler-token
spec:
  restartPolicy: Never
  containers:
    - name: doppler-token
      image: doppler-k8s
      imagePullPolicy: IfNotPresent
      env:
        - name: DOPPLER_TOKEN
          valueFrom:
            secretKeyRef:
              name: doppler-token
              key: DOPPLER_TOKEN

Create the Pod by running:

kubectl apply -f doppler-token-pod.yaml

To confirm Doppler fetched your secrets, view the container logs:

kubectl logs doppler-token

You should see a list of environment variables printed containing your secrets.

Cleaning up

To delete the Kubernetes Secret and Pod we created, run:

kubectl delete pod/doppler-token secret/doppler-token

Then delete the Docker image by running:

docker image rm doppler-k8s

πŸ‘

Awesome Work!

Now you know how to fetch Doppler secrets in Kubernetes using the Doppler CLI. Keep reading to learn other ways of managing secrets in Kubernetes using Doppler.

Option 2: Container Env Vars

If you're unable to alter your Docker image to use the Doppler CLI, this guide will show you how to use Doppler to create a Kubernetes secret to supply environment variables in your container.

Create Kubernetes Secret

We will create a secret in Kubernetes using a secrets.env file as input.

kubectl create secret generic doppler-env-vars --from-env-file <(doppler secrets download --no-file --format docker)

Then describe the secret to ensure it was created successfully:

kubectl describe secret doppler-env-vars

πŸ“˜

The --format docker flag also flattens multi-line secrets due to limitations with kubectl. If you have multi-line secrets, we suggest using the container mounted file option.

Create Pod

Let's create a Pod that will use the doppler-env-vars secret to create an environment variable for every key defined in the secret's data. Save the below Pod spec as doppler-env-vars-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: doppler-env-vars
spec:
  restartPolicy: Never
  containers:
    - name: doppler-env-vars
      image: alpine
      args: ["printenv"] # Used for testing purposes only
      # Populates every key in the secret as an env var
      envFrom:
        - secretRef:
            name: doppler-env-vars

Create the Pod by running:

kubectl apply -f doppler-env-vars-pod.yaml

To confirm the environment variables were set correctly, view the container logs:

kubectl logs doppler-env-vars

You should see a list of environment variables printed containing your secrets.

Cleaning up

To delete the Kubernetes Secret and Pod we created, run:

kubectl delete pod/doppler-env-vars secret/doppler-env-vars

πŸ‘

Awesome Work!

Now you know how to use Doppler to create a Kubernetes secret to supply environment variables to your container. Keep reading to learn how to mount a Doppler created secrets file in Kubernetes.

Option 3: Mounted Container File

If you're unable to alter your Docker image to use the Doppler CLI and your application requires a secrets or config file, this guide will show you how to use Doppler to create a Kubernetes secret to mount as a file inside your container.

Create Kubernetes Secret

For this example, we're mounting a .env file inside the container, although this approach works equally well for any file type.

kubectl create secret generic doppler-dotenv --from-literal dotenv="$(doppler secrets download --no-file --format env)"

Then describe the secret to ensure it was created successfully:

kubectl describe secret doppler-dotenv

Create Pod

Let's create a Pod that will use the doppler-dotenv secret to mount the .env file inside your container. Save the below Pod spec as doppler-dotenv-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: doppler-dotenv
spec:
  restartPolicy: Never
  containers:
    - name: doppler-dotenv
      image: alpine
      # Cat the file for testing purposes only
      args: ["cat", "/usr/src/app/secrets/.env"]
      volumeMounts:
        - name: secret-volume
          readOnly: true
          mountPath: /usr/src/app/secrets
  volumes:
    - name: secret-volume
      secret:
        secretName: doppler-dotenv
        items:
          - key: dotenv
            path: .env

Create the Pod by running:

kubectl apply -f doppler-dotenv-pod.yaml

To confirm the .env file was mounted successfully, view the container logs:

kubectl logs doppler-dotenv

You should see the contents of the .env file as output in the logs.

Cleaning up

To delete the Kubernetes Secret and Pod we created, run:

kubectl delete pod/doppler-dotenv secret/doppler-dotenv

πŸ‘

Awesome Work!

Now you know to use Doppler to create a Kubernetes secret to mount as a file inside your container.

Updated 2 months ago


Kubernetes


reading time 10 mins

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.