Okteto Secrets

Applications are built to run in multiple environments: development, staging, prod, etc... These environments typically run the same code, but very often they require environment-specific configurations. For example, your application might need different passwords to access your database in staging or production, or you might want to use different Twilio API keys for different environments.

Application configuration should be passed at deployment time, not harcoded in your code. This way you can modify each environment’s configuration in isolation, while also preventing secure credentials from being stored in version control or worse, in Docker images.

Okteto Secrets allows you to save application configuration in Okteto Cloud, and automatically inject them during deployment time.

Manage Okteto Secrets from the Okteto Cloud UI

You can create and delete your Okteto Secrets from the Secrets tab in the namespace view of the Okteto Cloud UI:

To create a new secret, click on the Add Secret button, and provide a name and a value. The value will be masked once the secret is created.

To delete an existing secret, click on the Delete button on the right. You'll have to confirm your choice before the secret is deleted. Deleted secrets can't be recovered, so be careful when doing this.

Accessing Okteto Secrets from your Application

Okteto Secrets are automatically injected to every application you deploy in the namespace as environment variables.

Okteto Secrets take precedence over existing environment variables defined in your manifests. For example, if you define an environment variable with the name PASSWORD in your deployment manifest, and you also create an Okteto Secret with the name PASSWORD, the value for the PASSWORD environment variable will be taken from the Okteto Secret.


Here's an example of how you can configure your application to work on different environments using Okteto Secrets.


Step 1: Deploy the Sample App

Get a local version of the Sample App by executing the following commands:

$ git clone https://github.com/okteto/secrets-getting-started
$ cd secrets-getting-started

The k8s.yml file contains the Kubernetes manifests of the Sample App. Deploy the application by executing:

$ kubectl apply -f k8s.yml
deployment.apps "hello-world" created
service "hello-world" created

Open your browser and go to the URL of the application. You can get the URL by logging into Okteto Cloud and clicking on the application's endpoint:

The application returns a beautiful Hello Tom! message 😀. The name comes from the value of the HELLO_WORLD_USER environment variable, which is defined in the k8s.yaml Kubernetes manifest:

- image: okteto/hello-world:secrets
name: hello-world
value: Tom

Step 2: Create the HELLO_WORLD_USER Okteto Secret

Go to the Secrets tab in the namespace view of the Okteto Cloud UI. Click the Add Secret button and define the HELLO_WORLD_USER secret with your name:

Step 3: Redeploy the Sample App

Redeploy the Sample App to get your Okteto Secret by executing:

$ kubectl rollout restart deployment/hello-world
deployment.extensions/hello-world restarted

When the application is redeployed, Okteto Cloud will automatically inject your Okteto Secrets. Wait a couple of seconds for the application to finish redeploying, go back to the browser and refresh the page to see the new Hello Cindy! message.