Documentation
SupportStatusCommunitySign Up

Using Kubernetes Secrets

Learn how to use kubernetes secrets in your deployments

Deployments

To use the secret created by the operator, we can use the managed secret in one of three ways. These methods are also covered in greater detail in the Kubernetes Secrets documentation.

Injecting using envFrom

The envFrom field will populate a container's environment variables using the secret's Key-Value pairs:

envFrom:
  - secretRef:
      name: doppler-test-secret # Kubernetes secret name

apiVersion: apps/v1
kind: Deployment
metadata:
  name: doppler-test-deployment-envfrom
  annotations:
    secrets.doppler.com/reload: 'true'
spec:
  replicas: 2
  selector:
    matchLabels:
      app: doppler-test
  template:
    metadata:
      labels:
        app: doppler-test
    spec:
      containers:
        - name: doppler-test
          image: alpine
          command:
            - /bin/sh
            - -c
            # Print all non-Kubernetes environment variables
            - apk add --no-cache tini > /dev/null 2>&1 &&
              echo "### This is a simple deployment running with this env:" &&
              printenv | grep -v KUBERNETES_ &&
              tini -s tail -f /dev/null
          imagePullPolicy: Always
          envFrom:
            - secretRef:
                name: doppler-test-secret # Kubernetes secret name
          resources:
            requests:
              memory: '250Mi'
              cpu: '250m'
            limits:
              memory: '500Mi'
              cpu: '500m'

kubectl apply -f examples/deployment.yml

Injecting using valueFrom

The valueFrom field will inject a specific environment variable from the Kubernetes secret:

env:
  - name: MY_APP_SECRET # The name of the environment variable exposed in the container
    valueFrom:
      secretKeyRef:
        name: doppler-test-secret # Kubernetes secret name
        key: MY_APP_SECRET # The name of the key in the Kubernetes secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: doppler-test-deployment-valuefrom
  annotations:
    secrets.doppler.com/reload: 'true'
spec:
  replicas: 2
  selector:
    matchLabels:
      app: doppler-test
  template:
    metadata:
      labels:
        app: doppler-test
    spec:
      containers:
        - name: doppler-test
          image: alpine
          command:
            - /bin/sh
            - -c
            # Print all non-Kubernetes environment variables
            - apk add --no-cache tini > /dev/null 2>&1 &&
              echo "### This is a simple deployment running with this env:" &&
              printenv | grep -v KUBERNETES_ &&
              tini -s tail -f /dev/null
          imagePullPolicy: Always
          env:
            - name: DOPPLER_CONFIG # The name of the environment variable exposed in the container
              valueFrom:
                secretKeyRef:
                  name: doppler-test-secret # Kubernetes secret name
                  key: DOPPLER_CONFIG # The name of the key in the Kubernetes secret
          resources:
            requests:
              memory: '250Mi'
              cpu: '250m'
            limits:
              memory: '500Mi'
              cpu: '500m'

Injecting using volume

The volume field will create a volume that is populated with files containing the Kubernetes secret:

volumes:
  - name: secret-volume
    secret:
      secretName: doppler-test-secret # Kubernetes secret name

apiVersion: apps/v1
kind: Deployment
metadata:
  name: doppler-test-deployment-volume
  annotations:
    secrets.doppler.com/reload: 'true'
spec:
  replicas: 2
  selector:
    matchLabels:
      app: doppler-test
  template:
    metadata:
      labels:
        app: doppler-test
    spec:
      volumes:
        - name: secret-volume
          secret:
            secretName: doppler-test-secret # Kubernetes secret name
      containers:
        - name: doppler-test
          image: alpine
          command: # ['/bin/sh', '-c', 'apk add --no-cache tini > /dev/null 2>&1 && ls /etc/secrets | grep -v KUBERNETES_&& tini -s tail -f /dev/null'] # List all non-Kubernetes secret files
            - /bin/sh
            - -c
            - apk add --no-cache tini > /dev/null 2>&1 &&
              echo "### This is a simple deployment running with these mounted secret files:" &&
              (for f in $(find /etc/secrets -type f); do echo $f && cat $f && echo ""; done) &&
              tini -s tail -f /dev/null
          imagePullPolicy: Always
          volumeMounts:
            - name: secret-volume
              mountPath: /etc/secrets
              readOnly: true
          resources:
            requests:
              memory: '250Mi'
              cpu: '250m'
            limits:
              memory: '500Mi'
              cpu: '500m'

Your deployment can use this volume by mounting it to the container's filesystem:

volumeMounts:
  - name: secret-volume
    mountPath: /etc/secrets
    readOnly: true

This method is commonly used with the Download Format option.

Auto-restart on secret change

The secrets.doppler.com/reload annotation on the deployment causes it to auto-restart when the Doppler operator detects a secret change (this check is done based on polling that's done every 60 seconds):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: doppler-test-deployment-envfrom
  annotations:
    secrets.doppler.com/reload: "true"

Note that this only works with Deployment resources. To auto-restart other resource types, consider using Reloader.

Updated 2 days ago

What’s Next