# Secret Injection with Templates

Some applications require configuration files to run. For example, a database might require a configuration that looks like this:

```yaml
bind: 127.0.0.1
port: 6379
logfile: log.txt
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp
```

This file contains several secrets that need to be in a particular format. We can create a generic template and use `doppler secrets substitute` to inject our values.

```yaml
bind: {{.HOST}}
port: {{.PORT}}
logfile: {{.LOGFILE}}
access:
  user: {{.ACCESS_USER}}
  password: {{.ACCESS_PASSWORD}}
```

Now, we can run `doppler secrets substitute` with our template:

```text
$ doppler secrets substitute
bind: 127.0.0.1
port: 6379
logfile: log.txt
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp
```

The Doppler CLI uses [Go's text/template package](https://golang.org/pkg/text/template/) to perform the substitution. This engine provides some powerful features, including comments and optional blocks:

```text
{{/* Comments won't be shown in the output. */}}
bind: {{.HOST}}
port: {{.PORT}}
{{/* The `logfile` field will only be shown if the LOGFILE secret is defined */}}
{{with .LOGFILE}}
logfile: {{.}}
{{end}}
access:
  user: {{.ACCESS_USER}}
  password: {{.ACCESS_PASSWORD}}
```

You can find more documentation for this syntax in the [text/template's actions section](https://golang.org/pkg/text/template/#hdr-Actions).

In addition to the standard actions, two additional Doppler-defined functions are available to you:

* `tojson`, which serializes the secret string value as JSON. This is particularly useful for turning multiline strings into single-line quoted strings.
* `fromjson`, which parses the secret string as JSON.

```text
$ doppler secrets
┌─────────────────────┬──────────────────────────────────────────────────────────────────┐
│ NAME                │ VALUE                                                            │
├─────────────────────┼──────────────────────────────────────────────────────────────────┤
│ ACCESS              │ {"user": "admin", "password": "uRJ5WhRmSZF4dgkk82Kp"}            │
│ PRIVATE_KEY         │ -----BEGIN RSA PRIVATE KEY-----                                  │
│                     │ MIIJJwIBAAKCAgEAww6PISGwwCRj125/5CNQ5kntc/NdjA7EKmNPY1wol/8ZSgrl │
│                     │ H2Egpj7GghDCsJfoJ7gQu3OtYQJ2j1/txGP44tzZh/lraMQblFqc9r9N8xXU3Y6z │
│                     │ ...                                                              │
│                     │ -----END RSA PRIVATE KEY-----                                    │
│                     │                                                                  │
└─────────────────────┴──────────────────────────────────────────────────────────────────┘

$ cat example.txt
private_key: {{tojson .PRIVATE_KEY}}
{{with fromjson .ACCESS}}
access:
  user: {{.user}}
  password: {{.password}}
{{end}}

$ doppler secrets substitute example.txt
private_key: "-----BEGIN RSA PRIVATE KEY-----\r\nMIIJJwIBAAKCAgEAww6PISGwwCRj125/5CNQ5knt..."
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp
```

You can save the result to a file with `doppler secrets substitute example.txt --output` or use the output of the command directly.

For example, you could inject secrets into Kubernetes YAML and pass it directly to `kubectl`:

```text
kubectl apply -f <(doppler secrets substitute example.yaml)
```