Highdocs
Deploy/Secrets

Secrets

Your config references secrets by name; the values live in a vault and are injected at deploy time — never written into your config, your image, or High's UI.

Reference a secret

In a config's env, point a variable at a secret by its path and key instead of giving it a value. By default the secret is injected as an environment variable; set mode: file to mount it as a file instead — useful for certificates and keyfiles.

env:
  - name: DATABASE_URL
    valueFrom:
      secret: { path: acme/shop/prod, key: db_url }
env:
  - name: TLS_CERT
    valueFrom:
      secret:
        path: acme/shop/prod
        key: cert
        mode: file
        file: /etc/tls/cert.pem

Where values live

Values are stored in a vault, scoped to your tenant. The agent on the outpost fetches the value at deploy time, under the node's own identity, and injects it into the running container. It never appears in the rendered manifest, the built image, logs, or anywhere in the console — only the reference travels with your config.

Provisioning values

You put the actual values into the vault directly, out of band — there's no command that writes a secret value through High, by design. When you export or clone a project, High carries a bill of secrets: the list of references the destination needs provisioned, so you know exactly what to set up before the first deploy. The values themselves are never part of that export.

The value never travels

A secret ref names a secret; the value is resolved on the node at deploy and injected there. It's not in your repo, your config, or the image you ship.