2 min read

Managing TLS Kubernetes Secrets with Doppler

Automated Kubernetes TLS secrets sync with the Doppler CLI.

Sep 11, 2021
Ryan Blunden Avatar
Ryan Blunden
Senior Developer Advocate
Managing TLS Kubernetes Secrets with Doppler
Back to the blog
Managing TLS Kubernetes Secrets with Doppler


  • Doppler CLI installed and authenticated
  • Access to a Kubernetes cluster

To follow along with this tutorial, click on the Import to Doppler button below to create the Doppler project containing the required variables, including the TLS certificate and key.

Creating the TLS Certificate and Key Secrets in Doppler

You can either use the Doppler dashboard to copy and paste in the contents of your certificate and key, or the Doppler CLI as per below:

1doppler secrets set TLS_CERT="$(cat ./tls.cert)"
2doppler secrets set TLS_KEY="$(cat ./tls.key)"

Doppler Sync to a Kubernetes TLS Secret

Now that your TLS certificate and key are in Doppler, the next step is syncing them to a Kubernetes secret using the Doppler CLI.

We recommend using Kubernetes' built-in TLS Secret type type as it standardizes the property names inside the secret to tls.crt and tls.key:

1kubectl create secret tls doppler-tls-pem \
2  --cert <(doppler secrets get TLS_CERT --plain) \
3  --key <(doppler secrets get TLS_KEY --plain)

We can see this by describing the secret:

1kubectl describe secret doppler-tls-pem
3# >> Name:         doppler-tls-pem
4# >> Namespace:    default
5# >> Labels:       
6# >> Annotations:  
7# >> 
8# >> Type:
9# >> 
10# >> Data
11===# >> =
12# >> tls.crt:  1545 bytes
13# >> tls.key:  1704 bytes

Mount TLS Certificate and Key inside a Kubernetes Deployment

The below deployment mounts the TLS certificate and key inside a container.

As the mountPath is set to /usr/src/app/secrets, the path to the certificate and key will be:

  • /usr/src/app/secrets/tls.crt
  • /usr/src/app/secrets/tls.key

Enable Automatic Secrets Sync with our Kubernetes Operator

While the Doppler CLI makes it easy to sync TLS secrets, its only drawback is having to manually sync updates to the TLS secrets in Kubernetes when they're updated in Doppler.

We recommend leveling up to use our Kubernetes Operator, which instantly syncs secrets to Kubernetes when changed and includes support for auto-reloading of deployments when secrets are updated inside the cluster.

Learn more by checking out the Kubernetes Operator repository on GitHub.


Awesome work! Now you know how to use Doppler to simplify and securely manage TLS secrets in PEM format for your Kubernetes-hosted applications.

Be sure to check out our Kubernetes documentation and reach out in our Doppler Community Forum if you need help.

Stay up to date with new platform releases and get to know the team of experts behind them.

Related Content

Explore More