v1

Secure /

Upload secret files

You can upload secret files to mount within your containers. They can be used to:

  • make configuration files available within your services, jobs and builds
  • create text based configuration files like .json, .html, .css, .yaml
  • add certificate files or complex secrets that cannot be handled by environment variables
  • create manifest files with build or runtime variable configuration

Secret files are equivalent to Kubernetes' ConfigMaps and Docker file volumes .

Each secret file must have a unique path where it will be mounted, and some file content. You can use dynamic templating (in the format ${ENV_KEY}) to substitute environment variables into your secret files.

Secret files are encrypted at rest and injected at runtime or build time.

Secret file permissions

Secret files will be owned by the user and group root in your container. If you have any scripts or processes that require greater permissions to access the file, you may need to add a shell script to change the ownership or permissions.

Add a secret file

You can add a secret file to a service or job from the environment or build arguments pages, to add a file to be available at runtime or build respectively.

Click add file to manually enter the file content, or upload from your local filesystem. Enter the mount path, where your file will be located in the container filesystem, and either repeat to add more files or save changes.

You can also add secret files in the same way to a secret group, which will be made available in any services or jobs that inherit from that secret group.

Uploading a secret file in the Northflank application

Access secret files in builds

Secret files in builds are injected relative to the repository root, unlike secret files in deployed containers which are injected relative to the build root.

Secret files in builds also cannot overwrite files in the repository, for example a repository with data/config.json would fail to build if you added a secret file with the path /data/config.json.

If you reference a secret file in your Dockerfile it is relative to the build context, not the container root. This also means that the secret file path needs to take the build context into account when you add the file to Northflank.

If you want to access a secret file while using the build context /frontend the file path must be set to /frontend/data/config.json. You can make the file available under this path by specifying COPY ./data/config.json . in the Dockerfile.

The table below gives examples of how a path would be set and accessed in various contexts:

Secret file mount pathBuild contextSecret file relative to build contextDockerfile COPY exampleFile location in build after WORKDIR app; COPY ${file} .
/secrets/my-secret/./secrets/my-secretCOPY ./secrets/my-secret ./app/my-secret
/secrets/my-secret/frontendsecret outside of build contextsecret outside of build contextsecret outside of build context
/frontend/secrets/my-secret/frontend./secrets/my-secretCOPY ./secrets/my-secret ./app/my-secret

Edit a secret file

You can edit or delete existing secret files by finding them in the relevant service, job, or secret group.

© 2024 Northflank Ltd. All rights reserved.