Doppler CLI in Container

Inject secrets at runtime for Kubernetes applications using the Doppler CLI

Prerequites

  • Experience with deploying applications on Kubernetes

Service Token

Accessing your secrets in a production or CI/CD environment using the Doppler CLI requires a Service Token to provide read-only access to a specific config via the DOPPLER_TOKEN environment variable.

Installation

This method uses the Doppler CLI installed in your Docker image to inject secrets as environment variables into your application.

Dockerfile

The only required changes to an existing Dockerfile is installing the CLI, then updating CMD so the CLI will run your application process.

# Install Doppler CLI
RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' | apt-key add - && \
    echo "deb https://packages.doppler.com/public/cli/deb/debian any-version main" | tee /etc/apt/sources.list.d/doppler-cli.list && \
    apt-get update && \
    apt-get -y install doppler

# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
# Install Doppler CLI
RUN wget -q -t3 'https://packages.doppler.com/public/cli/rsa.8004D9FF50437357.key' -O /etc/apk/keys/[email protected] && \
    echo 'https://packages.doppler.com/public/cli/alpine/any-version/main' | tee -a /etc/apk/repositories && \
    apk add doppler

# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
# Install Doppler CLI
RUN rpm --import 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/config.rpm.txt' | tee /etc/yum.repos.d/doppler-cli.repo && \
    yum update -y && \
    yum install -y doppler

# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]
# Does not rely on package managers

# Option 1: Standard
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh

# Option 2: Signature Verification (GnuPG package required)
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh -s -- --verify-signature

# Use the Doppler CLI to run your application
CMD ["doppler", "run", "--", "your-app-command"]

Check out our Docker guide to learn more about using the Doppler CLI inside a container.

Kubernetes Secret

Next, open the Doppler dashboard and create a Service Token, copying the value and using it as the value of a new Kubernetes secret. This will be supplied to the container as the DOPPLER_TOKEN environment variable.

kubectl create secret generic doppler-token --from-literal=DOPPLER_TOKEN="dp.st.prd.xxxx"

Deployment Spec

Now update your Deployment spec to use the DOPPLER_TOKEN environment variable doppler-token Kubernetes secret

apiVersion: apps/v1
kind: Deployment
...
    spec:
      containers:
        - name: your-app 
          envFrom: # envFrom exposes `DOPPLER_TOKEN` value as an environment variable
            - secretRef:
                name: doppler-token

You can see a complete Dockerfile and Deployment spec from our Kubernetes examples repository.

πŸ‘

Awesome Work!

Now you know how to fetch Doppler secrets in Kubernetes using the Doppler CLI. Keep reading to learn other ways of managing secrets in Kubernetes using Doppler.


Did this page help you?