Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Secret Env Var Syncer (SEVS) runs as a cron workload that syncs keys from Control Plane dictionary secrets into environment variables on GVCs or individual workload containers. It runs on a configurable schedule, applies the changes, then exits.

How It Works

SEVS runs as a cron workload on Control Plane. Your sync configuration is stored in a Control Plane secret and mounted into the workload as config.yaml. On each execution, SEVS reads the list of entries, fetches the specified dictionary secrets, and applies their keys as environment variables to the target GVCs or workload containers. The job then exits until the next scheduled run. Env var values are written as cpln://secret/SECRET_NAME.KEY_NAME references — not raw values. This means the target resource resolves the secret reference at runtime rather than storing the value inline. SEVS skips the PUT request when the target already matches the desired env vars, making each run idempotent.

What Gets Created

  • Cron SEVS Workload — A cron workload that reads the mounted config, syncs dictionary secret keys as environment variable references to each configured target, then exits.
  • Identity — An identity bound to the workload, used to authenticate against the Control Plane API.
  • Policies — Three policies granting the identity reveal on all secrets, edit on all GVCs, and edit on all workloads.
  • Secret — An opaque secret containing the sync configuration (config.yaml), mounted into the workload at /app/config.yaml.
This template does not create a GVC. You must deploy it into an existing GVC.

Prerequisites

  • One or more Control Plane dictionary secrets containing the key-value pairs you want to sync as environment variables.

Installation

To install, follow the instructions for your preferred method:

UI

Browse, install, and manage templates visually

CLI

Manage templates from your terminal

Terraform

Declare templates in your Terraform configurations
Pulumi Icon Streamline Icon: https://streamlinehq.com

Pulumi

Declare templates in your Pulumi programs

Configuration

The default values.yaml for this template: 
image: ghcr.io/controlplane-com/cpln-build/secret-env-var-syncer:v1.3.1

resources:
  cpu: 100m
  memory: 256Mi

schedule: "*/5 * * * *" # Default: every 5 minutes. Uses standard cron syntax (minute hour day month weekday).

timeoutSeconds: 300 # Maximum time allowed for a single sync run. Increase if you have a large number of entries.

sevsConfig:
  entries:
    - target:
        type: gvc
        name: my-gvc
      secret: my-dictionary-secret
    # - target:
    #     type: workload
    #     name: my-workload
    #     gvc: my-gvc
    #     container: app
    #   secret: my-dictionary-secret

Top-Level Fields

  • image — The SEVS container image. Do not change unless upgrading.
  • resources.cpu / resources.memory — Resource limits for the workload container.
  • schedule — Cron expression controlling how often the sync runs (default: */5 * * * *).
  • timeoutSeconds — Maximum time allowed for a single sync run (default: 300). Increase if you have a large number of entries.
  • sevsConfig — The full sync configuration — a list of entries (see below).

Entries

Each entry in sevsConfig.entries syncs the keys of one Control Plane dictionary secret into the environment variables of one target.
FieldDescription
targetThe resource to apply env vars to (see target types below)
secretThe name of the Control Plane dictionary secret to read from

Target: GVC

Applies all keys from the dictionary secret as environment variables on the entire GVC: 
- target:
    type: gvc
    name: my-gvc
  secret: my-dictionary-secret

Target: Workload

Applies all keys from the dictionary secret as environment variables on a specific container within a workload: 
- target:
    type: workload
    name: my-workload
    gvc: my-gvc
    container: app
  secret: my-dictionary-secret
The container field is required for workload targets. The gvc field is required when the workload is in a different GVC than the one SEVS is deployed in.

Synced Env Var Format

Each dictionary key becomes an environment variable name on the target. The value is written as a Control Plane secret reference — not the raw secret value: 
cpln://secret/SECRET_NAME.KEY_NAME
The target GVC or workload resolves this reference at runtime.

Permissions

SEVS requires the following permissions on its identity, all of which are created automatically by the template:
Resource KindPermissionReason
secretrevealRead the dictionary secrets listed in each entry, and the mounted config.yaml
gvceditWrite environment variables to GVC targets
workloadeditWrite environment variables to workload container targets

Important Notes

  • Dictionary secrets only — Source secrets must be of type dictionary. Opaque secrets are not supported as sync sources.
  • One-shot execution — SEVS runs once per schedule tick and exits. It is not a long-running daemon.
  • Concurrency — The job uses concurrencyPolicy: Forbid. If a previous run is still active when the next schedule fires, the new run is skipped.
  • Idempotent — SEVS skips the update when the target already matches the desired env vars.
  • Env var overwrite — Existing environment variables on the target with the same key will be overwritten on each run.

External References

SEVS Image Source

Source code for the Secret Env Var Syncer image

SEVS Template

View the source files, default values, and chart definition