Upload secret files | Secure | Northflank Application docs

Secure /

Upload secret files

You can upload secret files to mount within your containers. They can be used to:

  • make configuration files available within your services, jobs and builds
  • create text based configuration files like .json, .html, .css, .yaml
  • add certificate files or complex secrets that cannot be handled by environment variables
  • create manifest files with build or runtime variable configuration

Secret files are equivalent to Kubernetes' ConfigMaps and Docker file volumes .

Each secret file must have a unique path where it will be mounted, and some file content. You can use dynamic templating (in the format ${ENV_KEY}) to substitute environment variables into your secret files.

Secret files are encrypted at rest and injected at runtime as environment variables, or build time as build arguments.

Add a secret file

You can add a secret file to a service or job from the environment or build arguments pages, to add a file to be available at runtime or build respectively.

Click add file to manually enter the file content, or upload from your local filesystem. Enter the mount path, where your file will be located in the container filesystem, and either repeat to add more files or save changes.

You can also add secret files in the same way to a secret group, which will be made available in any services or jobs that inherit from that secret group.

Uploading a secret file in the Northflank application

Access secret files in builds

Secret files in builds are accessed differently from secret files in deployed containers; instead of being injected relative to the build root, they are relative to the repository root. Secret files in builds also cannot overwrite files in the repository, for example a repository with data/config.json would fail to build if you added a secret file with the path /data/config.json.

If you reference a secret file in your Dockerfile it is relative to the build context, not the container root. This also means that the secret file path needs to take the build context into account when you add the file to Northflank. If you want to access a secret file while using the build context /frontend, the file path must be set to /frontend/data/config.json to access it with the path COPY ./data/config.json . in the Dockerfile.

The table below gives examples of how a path would be set and accessed in various contexts:

Secret file mount pathBuild contextSecret file relative to build contextDockerfile COPY exampleFile location in build after WORKDIR app; COPY ${file} .
/secrets/my-secret/./secrets/my-secretCOPY ./secrets/my-secret ./app/my-secret
/secrets/my-secret/frontendsecret outside of build contextsecret outside of build contextsecret outside of build context
/frontend/secrets/my-secret/frontend./secrets/my-secretCOPY ./secrets/my-secret ./app/my-secret

Edit a secret file

You can edit or delete existing secret files by finding them in the relevant service, job, or secret group.