App developers can configure non-secret environment variables at build-time. You can also override environment variables later in the application lifecycle and during runtime by using secret environment variables. Secret environment variables enable you to provide environment-specific configuration, dynamically reconfigure an app, and handle sensitive values that should not be committed in source code. The values for secret variables are stored as Kubernetes secrets. Modifying secret runtime environment variables restarts the app and applies the new values.
ImportantNon-secret environment variables should not include sensitive data and are immutable at runtime. By configuring secret variables at runtime, you can override the value of an existing non-secret variable.
Use tanzu build
> tanzu deploy
to build a container app and deploy it into a Space.
Ensure that your Space context is set correctly.
tanzu project use PROJECT-NAME
tanzu space use SPACE-NAME
tanzu app get CONTAINER-APP-NAME
Set one or more environment variables.
You can set multiple variables in a single command.
tanzu app env set CONTAINER-APP-NAME KEY1=VALUE1 KEY2=VALUE2
You can specify either new or existing variables. If you specify an existing variable, it is updated with the value you define.
List the current environment variables.
tanzu app env list CONTAINER-APP-NAME --show-secrets
This will list all variables with their current values, regardless of their source. Secret runtime variables take precendence over non-secret build-time variables.
The --show-secrets
option includes the secret values in the output. If --show-secrets
is not used, the secret values are not included.
You can also use tanzu app get
with the --show-secrets
option to see secret environment variables.
tanzu app get CONTAINER-APP-NAME --show-secrets
Delete one or more secret environment variables.
tanzu app env delete CONTAINER-APP-NAME KEY1 KEY2
NoteYou cannot use the
tanzu app env delete
command to delete non-secret variables set at build-time, because they are immutable. You can only use this command to delete an overriding secret variable, which will revert to its initial build-time value.
{
"context": {
"path": "project/PROJECT-ID/space/SPACE-NAME",
"namespace": "default"
}
}
{
"Authorization": "Bearer ACCESS-TOKEN"
}
Create, update, or delete an arbitrary number of secret environment variables by using a single mutation.
mutation updateEnvVars($context: KubernetesResourceContextInput!) {
applicationEngineMutation(context: $context) {
mutateContainerApp {
mutateEnvVars(containerAppName: "CONTAINER-APP-NAME", vars: [{key: "KEY1", value: "VALUE1"}, {key: "KEY2", value: "VALUE2"}, {key: "KEY-TO-DELETE"}]) {
spec {
secretEnv {
name
secretKeyRef {
key
name
}
}
}
}
}
}
}
The GraphQL example above performs the following tasks:
KEY1
and KEY2
KEY-TO-DELETE
variable by omitting its valueQuery the environment variables and their values.
query queryEnvVars($context: KubernetesResourceContextInput) {
applicationEngineQuery(context: $context) {
queryContainerApps(name: ["CONTAINER-APP-NAME"]) {
edges {
node {
relationships {
secretEnvReferencedSecrets {
secrets {
name
data {
key
value
}
}
}
}
}
}
containerapps {
spec {
nonSecretEnv {
name
value
}
secretEnv {
name
secretKeyRef {
key
name
}
}
}
}
}
}
}
The API query above obtains low-level data directly from the underlying resources.
applicationEngineQuery.queryContainerApps.containerapps.spec.nonSecretEnv
.secretEnv
section, follow its secretKeyRef
to find the relevant entry in applicationEngineQuery.queryContainerApps.edges.node.relationships.secretEnvReferencedSecrets.secrets
. The secret name should match the one in secretKeyRef.name
and the key within the secret data should be the same as secretKeyRef.key
.kubeconfig
. tanzu context current
Copy the path to the kubeconfig
from the Kube config:
section of the output.
export KUBECONFIG=<COPIED-PATH>
kubectl create secret generic SECRET-NAME --from-literal=KEY1=VALUE1 --from-literal=KEY2=VALUE2
Reference the secrets from the ContainerApp
spec.
kubectl edit containerapps.apps.tanzu.vmware.com CONTAINER-APP-NAME
Add the following section to the spec:
secretEnv:
- name: KEY1
secretKeyRef:
key: KEY1
name: SECRET-NAME
- name: KEY2
secretKeyRef:
key: KEY2
name: SECRET-NAME
NoteEnsure that the spec is valid by making sure that the referenced secrets exist, as well as the keys that they contain.
You can reference an arbitrary number of secrets. The system ensures that if a referenced value changes, the container app restarts with the new value.
Secrets that you reference in a ContainerApp
spec remain immutable if you later use the Tanzu CLI or GraphQL to override or delete them. Changes are applied only by modifying the ContainerApp
spec and referencing a different secret.
ImportantIf you name a secret
CONTAINER-APP-NAME-env
, this secret is not immutable and can be overridden or deleted by the Tanzu CLI or GraphQL.
spec.secretEnv
list.