Environment variables and Secrets - The Future of Qovery - Week #6
This series will reveal all the changes and features you will get in the next major release of Qovery. Let's go!
Read the previous article: Qovery goes beyond app deployment - The Future of Qovery - Week #5.
Environment variables.
You have a NodeJS app that needs a PostgreSQL database - the good practice to connect your app to the database is to use environment variables to get the host, the port, and the credentials.
With the next release of the web interface, managing environment variables will be easier than before.
The same system of "scope" will remain - meaning you will still be able to set environment variables for many applications if you need it. Four scopes exist:
- BUILT_IN: Automatically generated variables based on your configuration (e.g., requested databases) propagated to all projects, environments, and applications.
- PROJECT: Variables at the project level are shared across all environments and all applications of the project.
- ENVIRONMENT: Variables at the environment level are shared across all project applications in one given environment.
- APPLICATION: Variables available for one application in a single environment
Secrets
Now let's say that your app needs to use Stripe to bill your user. You want to keep this secret secure and immutable from any change. This is why we introduce Secret Management. Secrets are encrypted and can't be revealed and modified once they are set.
Secrets can also be scoped, overridden, and aliased.
Qovery takes care of injecting your environment variables and secrets during the build time, deployment, and runtime.
Conclusion
We spent some time improving the UX to manage environment variables - we also considered adding the Secret Management feature to avoid using sensitive data inside your app. My team and I are excited to release our next major version of Qovery. If you are interested in joining the beta in early June, let me know by contacting us on Discord.
--
See you next week -- same hour, same place 👋
Romaric from Qovery -- We are hiring
.svg)
.svg)
.svg)
Suggested articles
The cluster coming up is the easy part. What catches teams off guard is what happens six months later: certificates expire without a single alert, node pools run at 40% over-provisioned because nobody revisited the initial resource requests, and a manual kubectl patch applied during a 2am incident is now permanent state. Agentic control planes enforce declared state continuously. Monitoring tools just report the problem.
Scaling your deployments to zero is only half the battle. If your cluster autoscaler does not aggressively bin-pack and terminate the underlying worker nodes, you are still paying for idle metal. True environment sleeping requires tight integration between your ingress layer and your node provisioner to actually realize FinOps savings.
The biggest mistake enterprises make when evaluating Kubernetes management platforms is confusing infrastructure provisioning with Day-2 operations. Tools like Terraform or kOps are excellent for spinning up the underlying EC2 instances and networking, but they do absolutely nothing to prevent configuration drift, automate certificate rotation, or right-size your idle workloads once the cluster is actually running.
For years, Red Hat OpenShift has been the safe choice for heavily regulated, on-premise environments. It operates as a secure fortress. But in the public cloud, that fortress acts as an expensive prison. Paying proprietary per-core licensing fees on top of your standard AWS or GCP compute bill is a redundant "middleware tax." Escaping OpenShift requires decoupling your infrastructure from your developer experience by running standard, vanilla Kubernetes paired with an agentic control plane.
Agentic Kubernetes resource reclamation is the practice of using an autonomous control plane to continuously identify, suspend, and delete idle infrastructure across a multi-cloud Kubernetes fleet. It replaces manual cleanup and reactive autoscaling with intent-based policies that act on business state, eliminating the configuration drift and cloud waste typical of unmanaged fleets.
Kubernetes focuses on container orchestration, but the reality on the ground is far less forgiving. Provisioning a single cluster is a trivial Day-1 exercise. The true operational nightmare begins on Day 2. Teams that treat multi-cloud fleets like isolated pets inevitably face crushing YAML configuration drift, runaway AWS bills, and severe scaling bottlenecks.
Rancher solved the Day-1 problem of launching clusters across disparate bare-metal environments. But in 2026, launching clusters is no longer the bottleneck. The real failure point is Day-2: managing the operational chaos, security patching, and configuration drift on top of them. Rancher is a heavy, ops-focused fleet manager that completely ignores the application developer. If your goal is developer velocity and automated FinOps, you must graduate from basic fleet management to an intent-based Kubernetes Management Platform like Qovery.
.webp)