Doppler CLI in Dockerfile
Inject secrets at runtime by embedding the Doppler CLI in your Dockerfile.
Prerequites
- Experience with deploying applications on Kubernetes
Service Token
Accessing your secrets in a production or CI/CD environment using the Doppler CLI requires a Service Token to provide read-only access to a specific config via the DOPPLER_TOKEN environment variable.
Installation
This method uses the Doppler CLI installed in your Docker image to inject secrets as environment variables into your application.
Dockerfile
The only required changes to an existing Dockerfile is installing the CLI, then updating CMD so the CLI will run your application process.
# Install Doppler CLI
RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg && \
curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' | apt-key add - && \
echo "deb https://packages.doppler.com/public/cli/deb/debian any-version main" | tee /etc/apt/sources.list.d/doppler-cli.list && \
apt-get update && \
apt-get -y install doppler
# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
# Install Doppler CLI
RUN wget -q -t3 'https://packages.doppler.com/public/cli/rsa.8004D9FF50437357.key' -O /etc/apk/keys/[email protected] && \
echo 'https://packages.doppler.com/public/cli/alpine/any-version/main' | tee -a /etc/apk/repositories && \
apk add doppler
# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
# Install Doppler CLI
RUN rpm --import 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' && \
curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/config.rpm.txt' | tee /etc/yum.repos.d/doppler-cli.repo && \
yum update -y && \
yum install -y doppler
# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
# Does not rely on package managers
# Option 1: Standard
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh
# Option 2: Signature Verification (GnuPG package required)
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh -s -- --verify-signature
# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
Check out our Docker guide to learn more about using the Doppler CLI inside a container.
Kubernetes Secret
Next, open the Doppler dashboard and create a Service Token, copying the value and using it as the value of a new Kubernetes secret. This will be supplied to the container as the DOPPLER_TOKEN environment variable.
kubectl create secret generic doppler-token --from-literal=DOPPLER_TOKEN="dp.st.prd.xxxx"
Deployment Spec
Now update your Deployment spec to use the DOPPLER_TOKEN environment variable doppler-token Kubernetes secret
apiVersion: apps/v1
kind: Deployment
...
spec:
containers:
- name: your-app
envFrom: # envFrom exposes `DOPPLER_TOKEN` value as an environment variable
- secretRef:
name: doppler-token
You can see a complete Dockerfile and Deployment spec from our Kubernetes examples repository.
Awesome Work!
Now you know how to fetch Doppler secrets in Kubernetes using the Doppler CLI. Keep reading to learn other ways of managing secrets in Kubernetes using Doppler.
Updated about 1 month ago