This repository is a reference solution for using Doppler to manage secrets for PHP applications. It currently focusses on Laravel but the techniques shown here can be applied to any framework.
Doppler is a SecretOps platform that keeps secrets and app configuration in sync sync across devices, environments, and team members.
- Doppler account
- Doppler CLI
- Docker and Docker Compose
- make
NOTE: Docker Compose is used for simulating a production environment on your local machine and is not a requirement for using Doppler with PHP.
If haven't already, authenticate the Doppler CLI locally by running:
doppler loginClone this repository and open a terminal in the root directory. Then create the sample Doppler project and build the required Docker containers:
make doppler-project
make docker-buildNavigate to the laravel-sample-app in the Doppler dashboard, then click on the Access tab.
Select the Access tab and click the + Generate button to create a read-only Service Token and copy its value.
Then to simulate a production environment, expose the Service Token value using the DOPPLER_TOKEN environment variable. The Service Token is typically injected into your deployment via CI/CD job.
export DOPPLER_TOKEN="dp.st.prd.xxxx"You can verify access to Production secrets by running:
doppler secretsThen start the application by running:
make runThe application will then be served through NGINX at http://localhost/.
Leave the server running as we'll using it next to demonstrate automatic secrets syncing.
Incorporating automatic secrets syncing just needs a scheduler (e.g. cron) and a secrets sync script:
* * * * * /usr/src/app/bin/doppler-sync.sh
To simulate scheduled updates, open a new terminal window and run:
make doppler-syncNavigate to the Doppler dashboard, change the APP_NAME secret, then refresh the application page to confirm the secrets change has come through.
While each team will have their own process for applying database migrations in live environments, a simple mechanism is demonstrated in the php-fpm-start.sh script by checking if the DB_FORCE_MIGRATE environment variable has a value of yes and force-running the migration command accordingly.
We'll simulate a development environment also using Docker Compose.
make devThen in a new terminal attach to the shell in the Laravel container by running:
docker attach laravel-appThen authenticate the CLI by running:
doppler login
Then start the development server using the Doppler CLI to mount an ephemeral .env file:
```sh
doppler run --mount .env -- php artisan serve --host 0.0.0.0 --port 9000To cleanup the resources used for this sample app:
make cleanup