Secret
A Secret stores sensitive values (API keys, tokens, passwords) used by other resources. ModelEndpoints, Tools, McpServers, and TaskWebhooks reference Secrets for authentication.
If you need to commit encrypted secret manifests to git, use SealedSecret. SealedSecret is decrypted by orlojd and reconciled into a normal Secret, while consumers continue to reference the generated Secret.
Defining a Secret
The simplest way to create a Secret is with the CLI:
orlojctl create secret openai-api-key --from-literal value=sk-your-api-key-hereOr with a YAML manifest:
apiVersion: orloj.dev/v1
kind: Secret
metadata:
name: openai-api-key
spec:
stringData:
value: sk-your-api-key-hereKey Fields
| Field | Description |
|---|---|
data | Base64-encoded key-value pairs. This is what the runtime reads at execution time. |
stringData | Write-only plaintext convenience input. Entries are base64-encoded into data during normalization, then cleared. |
How Secrets Work
stringDataentries are merged intodataas base64 during normalization.- Every
datavalue must be non-empty valid base64. stringDatais cleared after normalization (write-only behavior) -- it is never stored or returned by the API.- Secret resolution is performed fresh per tool invocation. There is no caching of raw secret values, so rotated secrets take effect immediately.
Environment Variable Override
In production, you can skip Secret resources entirely and inject values via environment variables:
ORLOJ_SECRET_<name>=<value>See Secret Handling for details.
Related
- ModelEndpoint -- uses Secrets for model provider auth
- Tool -- uses Secrets for tool auth
- McpServer -- uses Secrets for MCP server auth
- Resource Reference: Secret
- Resource Reference: SealedSecret