Doppler Encrypted Secrets Snapshots for High Availability

ryanblunden

Ryan Blunden

Posted on November 23, 2022

Doppler Encrypted Secrets Snapshots for High Availability

Ideally, fetching secrets at runtime by your application is avoided altogether using Doppler integrations (e.g. Doppler Kubernetes Secrets Operator), which continuously sync secrets to your hosting environment ahead of time, but this won't always be possible.

For legacy applications, on-prem, and virtualized environments where secrets must be fetched at runtime, bundling Doppler CLI secrets snapshots into your application provides a robust failsafe in the event Doppler's API is unreachable.

The result is similar to a GitOps secrets approach, but without the messy business of committing encrypted secrets to Git repositories can be avoided.

Build. Encrypt. Deploy. Fallback.

Doppler secrets snapshots are bundled into the application build during CI/CD with a single command:

doppler secrets download secrets.json.enc
Enter fullscreen mode Exit fullscreen mode

Then to fallback to a secrets snapshot when running your application:

doppler run --fallback secrets.json.enc -- ./app-start.sh
Enter fullscreen mode Exit fullscreen mode

Secrets snapshots aren't just for high availability. They're perfect for network-restricted environments and offer protection if Doppler's API rate limit is exceeded.

The addition of the --fallback-only instructs the CLI only to use the snapshot:

doppler run \
 --fallback secrets.json.enc \
 --fallback-only -- ./app-start.sh
Enter fullscreen mode Exit fullscreen mode

Now let's look into passphrase usage for encrypting and decrypting secrets snapshots.

Passphrase

By default, the CLI configuration is used to construct the passphrase, which is typically the Service Token value exposed via the DOPPLER_TOKEN environment variable. While this is the simplest solution, setting the passphrase explicitly has the benefits of:

  • Only using the DOPPLER_TOKEN for authentication
  • Allowing the passphrase and DOPPLER_TOKEN values to be rotated independently

Most importantly, your implementation must guarantee the passphrase remains constant from build to deployment during a release. As these are infrastructure secrets, we recommend a dedicated infra project for each application containing only the DOPPLER_TOKEN and (should you use a passphrase) a DOPPLER_PASSPHRASE.

ā€ŽDoppler integrations then keep infrastructure secrets in sync between your build and deployment environments, eliminating the risks associated with manual copying and pasting.

The following video demonstrates how to set up an infra project in three simple steps:

%[https://vimeo.com/769739281]

With the required pieces in place, let's move on to creating and using secrets snapshots.

Build

With the DOPPLER_TOKEN and DOPPLER_PASSPHRASE injected into your build environment (e.g. GitHub Action Secrets), we can now create the secrets snapshot file:

doppler secrets download \
  --passphrase "$DOPPLER_PASSPHRASE" \
  secrets.json.enc
Enter fullscreen mode Exit fullscreen mode

Secrets snapshots also support name transformers and download formats:

# ASP.NET Core secrets snapshot
doppler secrets download \
 --passphrase "$DOPPLER_PASSPHRASE" \
 --format dotnet-json \
 appsettings.json.enc
Enter fullscreen mode Exit fullscreen mode

Ensure the secrets snapshot file is included in your build, then you're done!

Deploy

With the DOPPLER_TOKEN and DOPPLER_PASSPHRASE injected into the deployment environment via automation (e.g Ansible), the Doppler CLI will attempt to fetch the latest version of secrets using the secrets snapshot as a fallback:

doppler run \
  --passphrase "$DOPPLER_PASSPHRASE" \
  --fallback secrets.json.enc -- ./start-app.sh
Enter fullscreen mode Exit fullscreen mode

Summary

Doppler secret snapshots are your high-availability solution to ensure applications can always access their secrets.

Using Docker? Check out our dedicated Docker High Availability documentation to learn more.

šŸ’– šŸ’Ŗ šŸ™… šŸš©
ryanblunden
Ryan Blunden

Posted on November 23, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related