Configure secret runtime environment variables

App developers can configure non-secret environment variables at build-time. You can also override environment variables later in the application lifecycle and during runtime by using secret environment variables. Secret environment variables enable you to provide environment-specific configuration, dynamically reconfigure an app, and handle sensitive values that should not be committed in source code. The values for secret variables are stored as Kubernetes secrets. Modifying secret runtime environment variables restarts the app and applies the new values.

Important
Non-secret environment variables should not include sensitive data and are immutable at runtime. By configuring secret variables at runtime, you can override the value of an existing non-secret variable.

Before you begin

Use tanzu build > tanzu deploy to build a container app and deploy it into a Space.

Read and update environment variables

Tanzu CLI-based steps

You read and update environment variables from within the context of a Space.

Ensure that your Space context is set correctly.

tanzu project use PROJECT-NAME

tanzu space use SPACE-NAME

Ensure that the application is deployed in the Space and view its environment variables.
```
tanzu app get CONTAINER-APP-NAME
```
Set one or more environment variables.

You can set multiple variables in a single command.
```
tanzu app env set CONTAINER-APP-NAME KEY1=VALUE1 KEY2=VALUE2
```
You can specify either new or existing variables. If you specify an existing variable, it is updated with the value you define.
List the current environment variables.
```
tanzu app env list CONTAINER-APP-NAME --show-secrets
```
This will list all variables with their current values, regardless of their source. Secret runtime variables take precendence over non-secret build-time variables.
The --show-secrets option includes the secret values in the output. If --show-secrets is not used, the secret values are not included.
You can also use tanzu app get with the --show-secrets option to see secret environment variables.
```
tanzu app get CONTAINER-APP-NAME --show-secrets
```
Delete one or more secret environment variables.
```
tanzu app env delete CONTAINER-APP-NAME KEY1 KEY2
```
Note
You cannot use the tanzu app env delete command to delete non-secret variables set at build-time, because they are immutable. You can only use this command to delete an overriding secret variable, which will revert to its initial build-time value.

GraphQL-based steps

You can use the Tanzu Platform hub GraphQL Playground, or a GraphQL client of choice, to read and modify the environment variables of a running app.

Construct a Space context to pass in the request variables.

{
   "context": {
      "path": "project/PROJECT-ID/space/SPACE-NAME",
      "namespace": "default"
   }
}

Obtain an access token and set it in the request header section.
```
{
   "Authorization": "Bearer ACCESS-TOKEN"
}
```

Create, update, or delete an arbitrary number of secret environment variables by using a single mutation.

mutation updateEnvVars($context: KubernetesResourceContextInput!) {
   applicationEngineMutation(context: $context) {
      mutateContainerApp {
         mutateEnvVars(containerAppName: "CONTAINER-APP-NAME", vars: [{key: "KEY1", value: "VALUE1"}, {key: "KEY2", value: "VALUE2"}, {key: "KEY-TO-DELETE"}]) {
            spec {
               secretEnv {
                  name
                  secretKeyRef {
                     key
                     name
                  }
               }
            }
         }
      }
   }
}

The GraphQL example above performs the following tasks:

Creates new or updates existing variables KEY1 and KEY2
Deletes the KEY-TO-DELETE variable by omitting its value
Does not modify the other container app variables

Query the environment variables and their values.

query queryEnvVars($context: KubernetesResourceContextInput) {
   applicationEngineQuery(context: $context) {
      queryContainerApps(name: ["CONTAINER-APP-NAME"]) {
         edges {
            node {
               relationships {
               secretEnvReferencedSecrets {
                  secrets {
                     name
                     data {
                        key
                        value
                     }
                  }
               }
               }
            }
         }
         containerapps {
            spec {
               nonSecretEnv {
                  name
                  value
               }
               secretEnv {
                  name
                  secretKeyRef {
                     key
                     name
                  }
               }
            }
         }
      }
   }
}

The API query above obtains low-level data directly from the underlying resources.

The key/value pairs of the non-secret variables under applicationEngineQuery.queryContainerApps.containerapps.spec.nonSecretEnv.
Some information for each secret variable, namely its key and a reference to the Kubernetes secret that contains its value.
To see the actual value for a given secret variable from the secretEnv section, follow its secretKeyRef to find the relevant entry in applicationEngineQuery.queryContainerApps.edges.node.relationships.secretEnvReferencedSecrets.secrets. The secret name should match the one in secretKeyRef.name and the key within the secret data should be the same as secretKeyRef.key.

GitOps-based steps

You can also modify secret environment variables by modifying the Kubernetes resources of a Space directly.

From within the context of your Space, get the kubeconfig.
```
tanzu context current
```
Copy the path to the kubeconfig from the Kube config: section of the output.
Set your KUBECONFIG
```
export KUBECONFIG=<COPIED-PATH>
```

Apply the secrets that contain your environment variable values.

kubectl create secret generic SECRET-NAME --from-literal=KEY1=VALUE1 --from-literal=KEY2=VALUE2

Reference the secrets from the ContainerApp spec.
```
kubectl edit containerapps.apps.tanzu.vmware.com CONTAINER-APP-NAME
```
Add the following section to the spec:
```
secretEnv:
- name: KEY1
   secretKeyRef:
      key: KEY1
      name: SECRET-NAME
- name: KEY2
   secretKeyRef:
      key: KEY2
      name: SECRET-NAME
```
Note
Ensure that the spec is valid by making sure that the referenced secrets exist, as well as the keys that they contain.

You can reference an arbitrary number of secrets. The system ensures that if a referenced value changes, the container app restarts with the new value.
Secrets that you reference in a ContainerApp spec remain immutable if you later use the Tanzu CLI or GraphQL to override or delete them. Changes are applied only by modifying the ContainerApp spec and referencing a different secret.

Important
If you name a secret CONTAINER-APP-NAME-env, this secret is not immutable and can be overridden or deleted by the Tanzu CLI or GraphQL.
To delete a secret environment variable, remove its entry from the spec.secretEnv list.