Can I inject secrets into a config file at deploy time?

I’m setting up pgbouncer, which has a userlist.txt file with the db credentials. They’re not super sensitive, because the db is (/will be) an IP restricted Supabase instance, but nevertheless I’d like to treat them as secrets (they’re already in Doppler, for the app).

I tried:

RUN sed -i "s|{{DB_PASSWORD}}|$DB_PASSWORD|g" /etc/pgbouncer/userlist.txt

…in the Dockerfile, but despite the existence of DB_PASSWORD as a secret in fly, it doesn’t get populated with anything.

I know that Doppler has a way of wrapping its CLI around processes, but I don’t want to do that. I’m sure pgbouncer has a better way too, which I’ll research. But this seemed most straightfoward, if I could get it to work…

Hi @jakeshead—just to clarify, by “deploy time,” it looks like you mean “when the Docker image is built”?

The RUN instruction you shared occurs at build time. Fly secrets aren’t available when the image is built, only when the app actually runs. There are mechanisms for providing secrets to Docker builds, but in this case I don’t think this is what you’ll ultimately want.

Even if your RUN instruction was working, it would be writing the secret into your Docker image. It’s considered a good practice not to do this. Otherwise anyone with access to the image would have access to the secret! Furthermore, you’d have to rebuild the image any time you wanted to change the secret; running fly secrets set wouldn’t be enough.

Instead, I’d suggest leaving the {{DB_PASSWORD}} placeholder in your userlist.txt in the Docker image and writing a short entrypoint script to replace it with the real value at runtime (which will be available as an environment variable then). E.g:

sed -i "s|{{DB_PASSWORD}}|$DB_PASSWORD|g" /etc/pgbouncer/userlist.txt
exec "$@"

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.