dotEnv
Integrations

Kubernetes

Materialize secrets into Kubernetes using the dotEnv CLI in an init container or CI step.

Back to all guides

dotEnv Cloud does not ship a Kubernetes operator or CRD. Instead, you use the dotEnv CLI as a small, well-understood step that materializes your secrets into a native Kubernetes Secret, either from your pipeline or from an init container. This keeps Kubernetes as the single source of truth your pods consume, while dotEnv Cloud remains the source of truth your team manages.

Pattern 1: create a Secret from your pipeline

The most common pattern is to pull secrets in CI and apply them as a Kubernetes Secret with kubectl. Pull to a file, then pipe it into --from-env-file:

terminal
# Pull the merged secrets for the environment
dotenv pull my-app/production/api --output=.env
# Create or update the Kubernetes Secret from that file
kubectl create secret generic my-app-secrets \
  --from-env-file=.env \
  --dry-run=client -o yaml | kubectl apply -f -

Reference the Secret from your Deployment with envFrom:

deployment.yaml
spec:
  containers:
    - name: my-app
      image: my-app:latest
      envFrom:
        - secretRef:
            name: my-app-secrets

Pattern 2: an init container that pulls at startup

If you prefer secrets to be fetched at pod start rather than at deploy time, run the CLI in an init container that writes a file to a shared emptyDir volume the app container reads. Store the API key as a Kubernetes Secret and expose it to the init container only.

pod-spec.yaml
spec:
  volumes:
    - name: secrets
      emptyDir: {}
  initContainers:
    - name: fetch-secrets
      image: dotenvcloud/cli:latest
      env:
        - name: DOTENV_API_KEY
          valueFrom:
            secretKeyRef:
              name: dotenv-api-key
              key: token
      command: ["sh", "-c"]
      args: ["dotenv pull my-app/production/api --output=/secrets/.env"]
      volumeMounts:
        - name: secrets
          mountPath: /secrets
The init-container image name above is illustrative. Use whichever image in your registry has the dotEnv CLI installed, or build a small one from the install script.

Client-managed encryption

For client-managed projects, supply the encryption key to the pulling step the same way you supply the API key, through DOTENV_CLIENT_KEY from a Kubernetes Secret, or a key file passed with --client-key. Decryption happens locally inside the init container, so plaintext never leaves the cluster.

Next, see how to deliver secrets to managed compute in the AWS guide.