For over eighty years, Beck’s Hybrids has grown from a modest family-owned seed company to the largest family-owned retail seed company in the U.S. Known for its commitment to quality, innovation, and prioritizing farmers, the company offers high-yielding crop seeds and advanced agricultural technologies and services. This includes FARMserver, a precision farming software platform that provides data analysis, weather updates, and customized agronomic advice, merging traditional farming insights with modern technology.
As Beck’s Hybrids endeavored to expand their digital footprint and enhance customer offerings, the engineering team, under the leadership of Director of Software Engineering Jon Bitler, encountered significant challenges in managing application secrets both securely and efficiently.
Initially, the team depended entirely on .env files for secret and configuration management. Over time, this method became a considerable bottleneck and burden. They struggled to maintain consistency and synchronize secrets across various environments—development, testing, and production. Each new project and deployment pipeline necessitated the correct .env file to be duplicated and provided to various servers. The development team had to manually update .env files across multiple servers and virtual machines at once. This approach was not scalable and was consuming significant time and effort. Occasionally it led to configuration drifts that hindered deployments if the correct environment variables were missing.
As the team expanded its engineering operations, this manual, ad-hoc method—once manageable with a smaller team—became cumbersome for their evolving needs. The inefficiency was particularly evident during the onboarding of new developers or when team members started new projects. Principal Engineer Hicaro Adriano highlighted the onboarding difficulties, noting, “An engineer starting a new project could spend at least an hour figuring out the current set of secrets.” This time could increase exponentially if issues arose, requiring broader team involvement to identify the latest versions. Software Engineering Manager Chris Tallman added, “We were passing the .env files around to all the developers. It was challenging to keep them in sync. If we changed one, we had to distribute it again.” The team needed a solution that could accommodate rapid onboarding and the integration of environment variables into new workflows.
Manually distributing .env files among developers became more than a logistical issue, it also introduced significant security risks. Sharing secrets in insecure ways to keep developers in sync with changes, expanded the attack surface and made them vulnerable to leaks. “We realized that with people changing roles, we were exposing ourselves to potential attacks, with everyone having access to our passwords.” Chris reflected. “We wanted to remove secrets from repos. Even after transitioning to Kubernetes, we found that secrets stored in Kubernetes secrets or config maps were merely base64 encoded, offering minimal security. Seeking a more locked-down method was primarily driven by our concern for security.”
Without a centralized management platform, Beck’s team had limited insight into the status, usage, and modifications of secrets organization-wide. This gap made it difficult to enforce security policies uniformly, such as role-based access, and to conduct audits and remediation. The team needed a solution that could resolve their concerns with security, efficiency, and scalability while providing a foundation for future growth and innovation.
The growing complexity of Beck’s infrastructure, with its diverse applications deployed across on-premises Kubernetes, Linux, and Windows servers, demanded a holistic approach to managing secrets and configuration values. After evaluating several tools that either demanded significant integration effort or lacked essential functionality, Chris discovered Doppler. Drawn to its zero-trust approach and its promise of integrations and developer-centric design, he decided to test Doppler in a pilot project, focusing on dynamic secrets injection. "Doppler seemed to meet all our needs," Chris recounted. “We were looking for one solution that could work with our environments with minimum management overhead. I tested it with a simple application by replacing its .env file and it worked right away. It was everything we were looking for, seamlessly replacing our previous method of managing environment variables."
“I signed up for a Doppler account, tested it with a simple application by replacing its .env file and it worked right away. It was everything we were looking for.”
Doppler provided a unified platform for managing application secrets, eliminating fragmented and insecure .env file-based workflows. This significantly improved visibility and auditability, ensuring all applications accessed the most current values.
Doppler’s interoperability with Beck’s diverse tech stack enabled a smooth migration. The team used the Kubernetes operator and its auto-restart feature to automatically sync secrets from Doppler directly into their on-premises Kubernetes clusters. The auto-restart feature ensured that any secret update in Doppler would automatically restart the pods within Kubernetes, applying the new secrets without manual intervention. This workflow significantly reduced the risk of configuration errors and downtime previously experienced.
Chris further optimized the integration by developing a custom operator in their Kubernetes cluster that worked alongside Doppler's operator. This custom operator automated the creation of custom resources and service tokens in Kubernetes for any new environments or projects. The automation made onboarding new projects efficient and scalable, minimizing error risks and secret exposure. Chris summarized: “With everything secure within Doppler and nothing stored on GitHub, there's no need for manual deployment to the cluster. The custom operator automates the entire process for us.”
Implementing role-based access controls with Doppler enabled the Beck’s team to define granular permissions for accessing and managing secrets. By using Doppler’s custom roles, the team enforced the principle of least privilege, ensuring team members accessed only the secrets necessary for their roles. Furthermore, Doppler’s automated rotation for services like MongoDB Atlas periodically refreshed credentials, diminishing the risk associated with long-lived secrets.
By adopting Doppler, Beck’s Hybrids embraced a zero-trust approach to secrets management, significantly strengthening security and minimizing potential attack vectors. Secrets were no longer distributed insecurely but were securely accessed as needed. Access control was controlled, with each request authenticated and encrypted, and permissions tailored to the principle of least privilege and appropriate seniority levels.
Doppler streamlined the previously slow onboarding process for new developers. Now, setting up a development environment takes just minutes instead of hours, enabling new team members to contribute more quickly.
Using a simple doppler run command, developers can dynamically inject secrets directly into their applications at runtime. This eliminates the need for manual .env file management. The method fosters more agile and secure development practices, allowing secrets to be updated or rotated without any changes to the application code.
Doppler has delivered substantial benefits across Beck’s Hybrids' engineering team, becoming the single source of truth for secrets across 40 projects. This centralization allows the team to scale securely and efficiently.
“Doppler provides us with the assurance that what we see on the dashboard is what has been deployed, centralizing our secrets changes and streamlining workflows. We now have one single place to change them all.”
With Doppler, Beck’s team transitioned from scattered and vulnerable secrets management to a centralized, robust, and scalable system. This shift drastically reduced potential attack vectors by securing access points and sensitive information storage. Automatically rotating database credentials has allowed Jon and the team to minimize the window of opportunity for unauthorized access or breaches.
Doppler has cut project onboarding and environment setup time from 1 hour to just 10 minutes. It not only speeds project kick-offs but also significantly enhances the overall developer experience. The transition to dynamic secret injection further amplified operational agility, eliminating disruptions caused by secret updates.
"With Doppler, we don't have to worry about managing secrets. It's as simple as running a command that compiles the Doppler secrets automatically. We now spend 5-10 minutes explaining what Doppler is and why we're using it, then run doppler setup for the first time with the CLI. Truly, it's a no-brainer.”
Doppler's adoption has led to significant time savings and fewer deployment errors from environment misconfigurations. This has allowed Jon and the team to redirect resources previously spent on manual secret management toward innovation and strategic projects. “Instead of spending time on managing .env files we now focus on higher value work,” Hicaro stated. The system's reliability also led to fewer configuration-related deployment errors, boosting application stability and performance.
“Since integrating Doppler, we’ve reduced time spent on managing secrets by 80%, from 10 hours per month to just 2 hours.”
Reflecting on the past year's achievements, Chris summarized, “We reduced the sprawl of secrets, locked down access to secrets, streamlined the deployment of secrets, and improved developer onboarding and offboarding. We’ve overhauled every process. Just bringing Doppler on board has been a big win for the whole team.”
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.