Skip to main content
Configure environment variables and secrets for your services to manage configuration across different environments like development, staging, and production.

Accessing Environment Variables & Secrets

Environment variables and secrets are configured per service:
  1. Navigate to Services in the sidebar
  2. Select your service
  3. Click the Env Vars & Secrets tab
Environment Variables & Secrets tab showing base configuration and environment overrides

Environment Variables

Base Variables (All Environments)

Base variables apply to all environments unless overridden. Use these for configuration that’s consistent across environments. To add a base variable:
  1. Click base (default) in the environment selector
  2. Click Add
  3. Enter the Key and Value
  4. Click Apply to save changes

Environment-Specific Variables

Override base variables or add environment-specific configuration by selecting an environment from the sidebar.
Production environment showing environment-specific variables and inherited base variables
To add or override environment-specific variables:
  1. Select an environment from the sidebar (e.g., “production”)
  2. Click Add or modify existing variables
  3. Variables inherited from base configuration are labeled as “(inherited)”
  4. Click Apply to save changes
Variables you define in an environment override the base value for that environment only. Other environments continue using the base value.

Edit as Raw Text

For bulk editing, click Edit as raw text to edit variables in KEY=VALUE format. This is useful when importing variables from another source or making multiple changes at once.

Secrets Management

Secrets are environment-specific only. Each environment (production, staging, etc.) has its own set of secrets.

Adding Secrets

Secrets are encrypted using Bitnami Sealed Secrets before being stored in your repository. This ensures sensitive data like API keys, database passwords, and tokens remain secure. To add a secret:
  1. Select an environment from the sidebar in the Secrets section
  2. Click Add
  3. Enter the Key (e.g., DATABASE_URL, API_KEY)
  4. Enter the plain-text Value
  5. Click Apply
Once saved, secrets are displayed in encrypted form (sealed:encrypted_content_here). You can edit the encrypted value, but to change the actual secret, delete it and re-add with a new plain-text value.

Import Secrets

Click Import to import secrets from a file or another source. This is useful when migrating secrets between environments or services.

How Sealed Secrets Work

  1. Encryption: When you add a secret, Skyhook encrypts it with a public key before storing it in your repository
  2. Storage: Encrypted secrets are safe to store in Git alongside your code
  3. Decryption: The Sealed Secrets controller in your Kubernetes cluster decrypts secrets at runtime using a private key
  4. Security: Skyhook never has access to the private decryption key; only your clusters can decrypt secrets
This provides:
  • Version control for secrets (track changes, revert if needed)
  • Audit trail (see who modified secrets and when)
  • Secure storage (encrypted values are safe even if your repository is compromised)

Auto-Reload on Configuration Changes

By default, Kubernetes does not restart pods when environment variables or secrets change. Enable auto-reload to ensure your service automatically restarts with the latest configuration.

Enabling Auto-Reload

  1. Scroll to the Deployment Configuration section
  2. Check Reload on Environment Variables or Secrets Update
  3. Click Apply
Auto-reload requires the Reloader add-on to be installed on your clusters. Install it from the Addons page before enabling this feature.

How It Works

When enabled, Reloader monitors ConfigMaps and Secrets for changes and triggers a rolling restart of your service pods automatically. This ensures:
  • No manual pod restarts needed
  • Configuration changes take effect immediately
  • Zero-downtime updates with rolling restart strategy
  • Better automation in CI/CD and GitOps workflows

Best Practices

Environment Variables vs Secrets

Use environment variables for:
  • Non-sensitive configuration (log levels, feature flags, ports)
  • Values that may change between environments
  • Public API endpoints or identifiers
Use secrets for:
  • Passwords, API keys, tokens, certificates
  • Database connection strings (if they contain credentials)
  • Any sensitive data that shouldn’t be exposed

Managing Secrets Safely

Never commit plain-text secrets to your code repository. Always use Skyhook’s Secrets management or environment variables for sensitive data.
  • Rotate secrets regularly: Update API keys and passwords periodically
  • Use environment-specific secrets: Production should use different credentials than staging/dev
  • Limit access: Only grant secret access to team members who need it
  • Delete unused secrets: Remove old or deprecated secrets to reduce security surface

Troubleshooting

Changes Not Taking Effect

If your configuration changes aren’t reflected in your running service:
  1. Verify changes were applied: Check that you clicked Apply after making changes
  2. Check for auto-reload: If auto-reload is disabled, manually restart pods: 
    kubectl rollout restart deployment/<service-name> -n <namespace>
  3. Verify Reloader is installed: If auto-reload is enabled but not working, check that the Reloader add-on is installed on your cluster

Encrypted Secret Values

If you see sealed:encrypted_content_here when viewing secrets, this is expected; secrets are encrypted for security. To update a secret with a new value:
  1. Delete the existing secret using the trash icon
  2. Add it again with the same key and new plain-text value
  3. Click Apply to encrypt and save the new secret

Variables with Quotes

Skyhook detects when variable values contain quotes and warns you if they might be included in the actual environment variable value. If you see a warning:
  • Remove quotes if they’re not intended (e.g., "true" should be true)
  • Keep quotes if they’re part of the value (e.g., a JSON string or value with spaces)

Next Steps