Logo

Usage Examples

Kubernetes

Three patterns work cleanly: a) generate a Kubernetes Secret manifest at deploy time, b) bake the CLI into the container image and call envv run as the entrypoint, or c) use an init container to materialize a shared volume.

Pattern A — Generated Secret

# Generate the Secret manifest at deploy time
kubectl create secret generic my-app-env \
  --from-env-file=<(envv generate --type=env -e production) \
  --dry-run=client -o yaml | kubectl apply -f -

# Reference it in your Deployment
spec:
  template:
    spec:
      containers:
        - name: web
          image: my-image
          envFrom:
            - secretRef:
                name: my-app-env

Pattern B — envv run as Entrypoint

# Dockerfile — bake CLI into image
FROM node:20
COPY --from=envvault/cli:latest /usr/local/bin/envv /usr/local/bin/envv
COPY . /app
WORKDIR /app
ENTRYPOINT ["envv", "run", "-e", "production", "--", "node", "server.js"]

# Provide only ENVVAULT_TOKEN as a Kubernetes Secret
apiVersion: v1
kind: Secret
metadata:
  name: envvault-token
type: Opaque
stringData:
  ENVVAULT_TOKEN: evk_xxxxxxxxxxxxxxxxx

Reference the token via envFrom: - secretRef: name: envvault-token.

Pattern C — Init Container

spec:
  template:
    spec:
      volumes:
        - name: envvault-vol
          emptyDir: {}
      initContainers:
        - name: envvault-init
          image: envvault/cli:latest
          command: ["sh", "-c"]
          args:
            - 'envv generate --type=env -e production > /shared/.env'
          envFrom:
            - secretRef: { name: envvault-token }
          volumeMounts:
            - name: envvault-vol
              mountPath: /shared
      containers:
        - name: web
          image: my-image
          command: ["sh", "-c"]
          args: ["set -a && . /shared/.env && set +a && exec node server.js"]
          volumeMounts:
            - name: envvault-vol
              mountPath: /shared

Helm

helm upgrade my-app ./chart \
  --set-file env=<(envv generate --type=env -e production)

Reference the file in your values.yaml as a multiline string and render it into a Secret template.

Rotation

After rotating an EnvVault secret, re-apply the Kubernetes Secret and trigger a rollout:

kubectl create secret generic my-app-env \
  --from-env-file=<(envv generate --type=env -e production) \
  --dry-run=client -o yaml | kubectl apply -f -
kubectl rollout restart deployment/my-app