Secrets
Your config references secrets by name; the values live in a vault and are injected at deploy time — never written into your config, your image, or High's UI.
Reference a secret
In a config's env, point a variable at a secret by its path and key instead of giving it a value. By default the secret is injected as an environment variable; set mode: file to mount it as a file instead — useful for certificates and keyfiles.
env:
- name: DATABASE_URL
valueFrom:
secret: { path: acme/shop/prod, key: db_url }env:
- name: TLS_CERT
valueFrom:
secret:
path: acme/shop/prod
key: cert
mode: file
file: /etc/tls/cert.pemWhere values live
Values are stored in a vault, scoped to your tenant. The agent on the outpost fetches the value at deploy time, under the node's own identity, and injects it into the running container. It never appears in the rendered manifest, the built image, logs, or anywhere in the console — only the reference travels with your config.
Provisioning values
You put the actual values into the vault directly, out of band — there's no command that writes a secret value through High, by design. When you export or clone a project, High carries a bill of secrets: the list of references the destination needs provisioned, so you know exactly what to set up before the first deploy. The values themselves are never part of that export.
A secret ref names a secret; the value is resolved on the node at deploy and injected there. It's not in your repo, your config, or the image you ship.