Kubernetes Secrets as environment variables

In addition to using Release secrets vaults to manage secret values from Release and external cloud providers, you can pull values from existing Kubernetes resources using $secrets.k8s_secret.<ref-name>:<ref-key> or $secrets.k8s_configmap.<ref-name>:<ref-key>.

key:
  type: String
  description: Environment variable name
  required: true
value:
  type: String
  description: Representation of the value to be fetched. $secrets.<k8s_secret|k8s_configmap>.<ref-name>:<ref-key> format. If secret is true, and this field is omitted, will use previously saved value.
  required: true (but hidden if secret)
secret:
  type: Boolean
  description: Value is secret and should be encrypted and not visible in the UI when viewing
  required: false, but required for Kubernetes secrets imports

Use cases

To reference Kubernetes Secrets, a Kubernetes Secret or ConfigMap object must be present in your cluster so that you can provide a value from it as an environment variable to your services. The Secret or ConfigMap object does not need to be managed by Release and can be created through a Helm chart or by hand. An example of this is Doppler.

Examples

The following example demonstrates how Release can create a Kubernetes Secret using a normal secret environment variable for an app called apache-php.

defaults:
- key: NORMAL_SECRET
  value: documentation-value
  secret: true
- key: KUBERNETES_SECRET
  value: $secrets.k8s_secret.apache-php-secrets:normal-secret
  secret: true

When Release creates and deploys an environment, it will also create a Kubernetes Secret named apache-php-secrets. In this Secret object, data has the key normal-secret.

Now we can use the same value (documentation-value) in KUBERNETES_SECRET by using the secret reference format $secrets.k8s_secret.apache-php-secrets:normal-secret.

Here's the Kubernetes YAML Release will generate as a result:

template:
  spec:
    containers:
    - env:
      - name: "KUBERNETES_SECRET", 
        valueFrom:
          secretKeyRef: 
            key: "normal-secret", 
            name: "apache-php-secrets"
      - name: "NORMAL_SECRET"
        valueFrom: 
          secretKeyRef: 
            key: "normal-secret"
            name: "apache-php-secrets"

To use a Kubernetes ConfigMap instead, follow the same process using $secrets.k8s_configmap.existing-configmap:normal-secret. Release will produce the following Kubernetes YAML:

template:
  spec:
    containers:
    - env:
      - name: "KUBERNETES_SECRET", 
        valueFrom:
          configMapKeyRef: 
            key: "normal-secret", 
            name: "existing-configmap"