Status

Table of Contents

Auto-generated Secrets ("Auto Secrets")

Blueberry automatically handles Kubernetes secrets for every ephemeral environment.
This document explains what happens behind the scenes and how you can override the defaults when you need to supply your own values.

1 How Auto Secrets work

  1. Generation — At provisioning time, Blueberry creates random values (DB passwords, JWT signing keys, API tokens, etc.).
  2. Storage — Values are written to Google Secret Manager under IDs that start with the environment name, e.g. env-pr-123/mysql-root-password.
  3. Kubernetes wiring — The same values are copied into a Secret object inside the environment’s namespace and exposed to the pods as ordinary environment variables.
  4. Cleanup — When the environment is deleted, both the Kubernetes secret and the Secret-Manager entries are removed.

Result: your application just reads MYSQL_ROOT_PASSWORD, JWT_SECRET, … and it works without any manual steps.

2 Disabling or overriding Auto Secrets

There are two common scenarios:

2.1 Use your own values (keep Auto Secrets on)

Supply a config override when you create the environment:

{
  "helm_values": {
    "backend": {
      "env": {
        "STRIPE_API_KEY": "sk_live_…your_key…"
      }
    }
  }
}

The value is written verbatim into the chart—good for non-sensitive tokens or demo keys.

2.2 Refer to an existing Secret-Manager secret

  1. Create the secret once:

bash gcloud secrets create stripe-api-key --replication-policy="automatic" printf "sk_live_…your_key…" | gcloud secrets versions add stripe-api-key --data-file=-
2. Point Blueberry at it in the overrides:

json { "helm_values": { "backend": { "env": { "STRIPE_API_KEY": { "secretKeyRef": { "name": "stripe-api-key", "key": "latest" } } } } } }

Blueberry mounts the Secret-Manager value into the pod.

2.3 Turn Auto Secrets off

Send "auto_generate_secrets": false in the create-environment request and provide every secret yourself using one of the methods above.

3 API quick-reference

POST /api/environments
Content-Type: application/json
Authorization: Bearer <token>

{
  "environment_name": "pr-123",
  "backend_repo": "sample-be-1",
  "backend_branch": "main",
  "ttl": 24,
  "auto_generate_secrets": true,  // or false
  "config_overrides": { … }       // optional
}

If auto_generate_secrets is left at true (the default), no extra work is required; the credential variables just appear inside the containers.

Document ID: reference/auto-secrets