App Platform: Injecting files from Environment Variables
App Platform, DigitalOceanApp Platform apps (that don't use dockerfiles) are built using Cloud Native Build Packs, which turn your code into a OCI image that is run on a secured, shared Kubernetes instance. App Platform offers the ability to apply environment variables to your app, in many cases app secrets are stored in these env vars, and in less common cases the apps require these secrets to exist as a file on the filesystem.
Some options to make this happen are:
- Commit the secret to the app git repository so it's present when the build occurs.
- The obvious drawback here is that the secret is in the git and the git history. This is unacceptable in most cases.
- Convert the App to use a dockerfile and echo the environment variable to disk with the dockerfile.
- Slightly better than the first option, this method still persists your secret to the OCI image.
- Finally, explicitly take over the run command and inject the file at run time.
- This method does not persist the secret anywhere in an unencrypted fashion.
- It ensure that the right version of your secret is present.
- The drawback is it your app
run_command
needs to be manually set.
How do we do this?
1. Add the environment variable to your app and check the Encrypt
checkbox.
2. Select the component that requires the secret and Edit
the Commands to look something like
echo "${APP_CERT}" > jwt.cer && <your_apps_run_command>
In this snippet, the APP_CERT
environment variable writen to a file called jwt.cer
and then the apps execution code is ran.
Further Considerations
In some cases you may need to encode your file before saving it as an environment variable, which will require decoding it.
Encoding your file using base64
The base64
tool comes with Linux and MacOS by default, getting a base64 representation of your file can be down with:
cat <your_file> | base64
this also means your file will need to be decoded before being written to disk. Update your run command to:
echo "${APP_CERT}" | base64 --decode > jwt.cer && <your_apps_run_command>