Any way to make doppler secrets AZ aware?


We have an API application running on AWS EKS. The EKS clusters are deployed in several regions. Each region features 3 AZs. A third party DB provider provides PrivateLinks to connect to their service. The PrivateLInk returns an array with 5 DNS entries. There is one for each AZ for reduced latency. The application is sensitive to latency.

We are using doppler to store the connection string with credentials. The doppler operator maps the connection string to the environment variable DB_CONN. So all the application has to do is read env.DB_CONN to fetch the appropriate DB endpoint.

Given that doppler runs on kubernetes and big cloud providers feature multiple AZs, it would be nice if doppler could be configured to be AZ-aware and return endpoints per AZ.

A pod can become AZ and/or Region aware by reading the node-labels.


@atmosx We don’t currently have any plans to add this kind of functionality to the Doppler k8s operator, but it’s something you could approximate if your pods can tell what AZ or Region they’re in on boot. It would basically involve having a separate secret for each AZ/Region. For example:

  • etc.

If your pod got an AZ label with the value US_EAST_1, then you could have the pod use DB_CONN_${the-az-from-the-label}. Not as nice as it being completely seamless and automatic, but you should be able to get something like this working using an approach like that!