Set or change an environment variable for your app
Update an ordinary (non-secret) environment variable
To update the value of an ordinary environment variable, raise a PR to change the value.
Per-app environment variables
Per-app environment variables are defined using Helm values for each environment:
Changes to Helm values will be rolled out automatically by Argo CD within a few minutes of merging the PR.
Global environment variables
Global environment variables are defined in a ConfigMap Helm template. These environment variables are set for all GOV.UK apps, for example in their Deployment manifests.
Changes to the ConfigMap require a rollout (rolling restart) of the affected apps in order to take effect. To do this for one or more specific apps:
k rollout restart deploy/foo-app deploy/bar-app ...
Or for all apps:
k rollout restart deploy
You can watch the progress of the rollout(s) using the Argo CD web UI or using kubectl:
k rollout status deploy
Update an environment variable from a Secrets Manager secret
An environment variable can take its value from an AWS Secrets Manager secret.
The flow of information is: Secrets Manager secret -> External Secrets Operator (configured by an ExternalSecret k8s object) -> Kubernetes Secret object (created/updated by External Secrets Operator) -> valueFrom reference on the app’s Pod spec.
To create a new secret, see Add secrets to your app.
For now, apps are not automatically restarted when external (that is, Secrets Manager) secrets change.
To update an existing secret:
Edit the JSON value of the secret in Secrets Manager. You can also do this via the
awscommand line tool.Force the secret to be synchronised to pods.
kubectl annotate -n apps externalsecrets <external-secret-name> force-sync=$(date +%s) --overwrite
The name of the secret in AWS’s web console probably has forward slashes in, which won’t work. To find out its real name to use as <external-secret-name> do:
```sh
kubectl get externalsecrets -n apps
```