Kubernetes Secrets as environment variables
Importing secrets from Kubernetes
In addition to using Release secrets vaults to manage secret values from Release and external cloud providers, you can pull values from existing Kubernetes resources using $secrets.k8s_secret.<ref-name>:<ref-key>
or $secrets.k8s_configmap.<ref-name>:<ref-key>
.
key:
type: String
description: Environment variable name
required: true
value:
type: String
description: Representation of the value to be fetched. $secrets.<k8s_secret|k8s_configmap>.<ref-name>:<ref-key> format. If secret is true, and this field is omitted, will use previously saved value.
required: true (but hidden if secret)
secret:
type: Boolean
description: Value is secret and should be encrypted and not visible in the UI when viewing
required: false, but required for Kubernetes secrets imports
Use cases
To reference Kubernetes Secrets, a Kubernetes Secret
or ConfigMap
object must be present in your cluster so that you can provide a value from it as an environment variable to your services. The Secret
or ConfigMap
object does not need to be managed by Release and can be created through a Helm chart or by hand. An example of this is Doppler.
Examples
The following example demonstrates how Release can create a Kubernetes Secret
using a normal secret environment variable for an app called apache-php
.
defaults:
- key: NORMAL_SECRET
value: documentation-value
secret: true
- key: KUBERNETES_SECRET
value: $secrets.k8s_secret.apache-php-secrets:normal-secret
secret: true
When Release creates and deploys an environment, it will also create a Kubernetes Secret
named apache-php-secrets
. In this Secret
object, data
has the key normal-secret
.
Now we can use the same value (documentation-value
) in KUBERNETES_SECRET
by using the secret reference format $secrets.k8s_secret.apache-php-secrets:normal-secret
.
Here's the Kubernetes YAML Release will generate as a result:
template:
spec:
containers:
- env:
- name: "KUBERNETES_SECRET",
valueFrom:
secretKeyRef:
key: "normal-secret",
name: "apache-php-secrets"
- name: "NORMAL_SECRET"
valueFrom:
secretKeyRef:
key: "normal-secret"
name: "apache-php-secrets"
To use a Kubernetes ConfigMap
instead, follow the same process using $secrets.k8s_configmap.existing-configmap:normal-secret
. Release will produce the following Kubernetes YAML:
template:
spec:
containers:
- env:
- name: "KUBERNETES_SECRET",
valueFrom:
configMapKeyRef:
key: "normal-secret",
name: "existing-configmap"
Last updated
Was this helpful?