App Platform: Injecting files from Environment Variables

App Platform, DigitalOcean

App Platform apps (that don't use dockerfiles) are built using Cloud Native Build Packs, which turn your code into a OCI image that is run on a secured, shared Kubernetes instance. App Platform offers the ability to apply environment variables to your app, in many cases app secrets are stored in these env vars, and in less common cases the apps require these secrets to exist as a file on the filesystem.

Some options to make this happen are:

  • Commit the secret to the app git repository so it's present when the build occurs.
    • The obvious drawback here is that the secret is in the git and the git history. This is unacceptable in most cases.
  • Convert the App to use a dockerfile and echo the environment variable to disk with the dockerfile.
    • Slightly better than the first option, this method still persists your secret to the OCI image.
  • Finally, explicitly take over the run command and inject the file at run time.
    • This method does not persist the secret anywhere in an unencrypted fashion.
    • It ensure that the right version of your secret is present.
    • The drawback is it your app run_command needs to be manually set.

How do we do this?

1. Add the environment variable to your app and check the Encrypt checkbox.

2. Select the component that requires the secret and Edit the Commands to look something like

echo "${APP_CERT}" > jwt.cer && <your_apps_run_command>

In this snippet, the APP_CERT environment variable writen to a file called jwt.cer and then the apps execution code is ran.

Further Considerations

In some cases you may need to encode your file before saving it as an environment variable, which will require decoding it.

Encoding your file using base64

The base64 tool comes with Linux and MacOS by default, getting a base64 representation of your file can be down with:

cat <your_file> | base64

this also means your file will need to be decoded before being written to disk. Update your run command to:

echo "${APP_CERT}" | base64 --decode > jwt.cer && <your_apps_run_command>