Skip to main content
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 22 Mar 2024

Set or change an environment variable for your app

Update an ordinary (non-secret) environment variable

To update the value of an ordinary environment variable, raise a PR to change the value.

Per-app environment variables

Per-app environment variables are defined using Helm values for each environment:

Changes to Helm values will be rolled out automatically by Argo CD within a few minutes of merging the PR.

Global environment variables

Global environment variables are defined in a ConfigMap Helm template. These environment variables are set for all GOV.UK apps, for example in their Deployment manifests.

Changes to the ConfigMap require a rollout (rolling restart) of the affected apps in order to take effect. To do this for one or more specific apps:

k rollout restart deploy/foo-app deploy/bar-app ...

Or for all apps:

k rollout restart deploy

You can watch the progress of the rollout(s) using the Argo CD web UI or using kubectl:

k rollout status deploy

Update an environment variable from a Secrets Manager secret

An environment variable can take its value from an AWS Secrets Manager secret.

The flow of information is: Secrets Manager secret -> External Secrets Operator (configured by an ExternalSecret k8s object) -> Kubernetes Secret object (created/updated by External Secrets Operator) -> valueFrom reference on the app’s Pod spec.

To create a new secret, see Add secrets to your app.

For now, apps are not automatically restarted when external (that is, Secrets Manager) secrets change.

To update an existing secret:

  1. Edit the JSON value of the secret in Secrets Manager. You can also do this via the aws command line tool.

  2. Delete the corresponding Kubernetes secret in order to force an update. You can do this via the Argo CD web UI or via kubectl. If you prefer, you can wait for External Secrets Operator to pull the new value automatically. It polls once per hour, independently per secret.

    k delete secret foo-app-api-key
    
  3. Do a rolling restart of the affected app:

    k rollout restart deploy/foo-app
    k rollout status !$
    

    You can also use the Argo CD web UI to see the progress of the rollout and the health of the app’s pods.