Skip to content

Latest commit

 

History

History
93 lines (66 loc) · 4.59 KB

File metadata and controls

93 lines (66 loc) · 4.59 KB

Managing Secrets with Doppler

We use Doppler as the single source of truth for sensitive configuration across environments.
Secrets stored in Doppler are automatically injected into the app at runtime and mapped to configuration keys via custom-environment-variables.yml.


Workflow

  1. Sign in to Doppler
    Log in at https://dashboard.doppler.com with the Platform team's credentials.

  2. Select the flask-react-template project
    The flask-react-template project centralizes secrets for the full stack (frontend + backend).

  3. Choose an environment

    • preview – Preview environment configuration.
    • production – Production environment configuration.
  4. Add or edit secrets

    • Click “Secrets”“Add Secret”.
    • Enter the key exactly as referenced in custom-environment-variables.yml.
    • Provide the value and save.
  5. Deploy
    The next deployment will pick up the new secret automatically.


How Mapping Works

custom-environment-variables.yml maps a config path to an env-var name (the Doppler key).
Example fragment:

mongodb:
  uri: 'MONGODB_URI'

demo:
  host: 'DEMO_HOST'
  port:
    __name: 'DEMO_PORT'
    __format: 'number'
Doppler Secret Overrides Config Key Notes
MONGODB_URI mongodb.uri String value
DEMO_HOST demo.host String value
DEMO_PORT demo.port (as number) Cast to number via __format: number

Empty or unset secrets are ignored and fallback to the value defined in the corresponding YAML config.


Best Practices

  • Never commit secrets to the repository.
  • production secrets should be tightly controlled.
  • Remove deprecated keys promptly to avoid confusion.
  • If you add a new mapping in custom-environment-variables.yml, remember to create the matching secret in Doppler for every active environment.

Required Secrets by Category

Backend Datadog Logging

Required for backend log forwarding to Datadog (when logger.transports includes 'datadog'):

Doppler Secret Config Key Description
DATADOG_API_KEY datadog.api_key Datadog API key for backend logging
DATADOG_SITE_NAME datadog.site_name Datadog site (e.g., datadoghq.com)
DATADOG_APP_NAME datadog.app_name Application name in Datadog
DATADOG_LOG_LEVEL datadog.log_level Log level (e.g., info, debug)

Frontend Datadog RUM & Browser Logs

Required for frontend Real User Monitoring and browser log collection (when public.datadog.enabled: 'true'):

Doppler Secret Config Key Description
DATADOG_CLIENT_TOKEN public.datadog.clientToken Datadog client token for browser SDK
DATADOG_APPLICATION_ID public.datadog.applicationId RUM application ID
DATADOG_ENABLED public.datadog.enabled Enable/disable frontend Datadog ('true')
DATADOG_ENV public.datadog.env Environment name (e.g., production)
DATADOG_SERVICE public.datadog.service Service name for frontend
DATADOG_SESSION_SAMPLE_RATE public.datadog.sessionSampleRate Session sampling rate (0-100)
DATADOG_SESSION_REPLAY_SAMPLE_RATE public.datadog.sessionReplaySampleRate Session replay sampling rate (0-100)
DATADOG_SITE_NAME public.datadog.site Datadog site (e.g., us5.datadoghq.com)

Note: Frontend public config is exposed at runtime via /config.js (see serve_config in bin/blueprints.py). Redeploy or restart the backend after changing these secrets so browsers receive the updated values.