Question

External Secrets in Mendix Kubernetes Deployment

0

Hi Guys,We want to inject database credentials and API keys from AWS Secrets Manager into our Mendix runtime environment variables when using the Mendix Operator. Is there a supported way to do this, or do we have to hardcode secrets in the OperatorConfiguration?

asked 2026-05-19

Rakesh

1 answers

Gurumoorthy J · Accepted Answer · 2026-05-19

Hi Rakesh

Hardcoding secrets in OperatorConfiguration is strongly discouraged. Use the External Secrets Operator (ESO): install ESO in your cluster, create an ExternalSecret CR that syncs from AWS Secrets Manager to a native Kubernetes Secret, then reference it in your MendixApp CR:

runtime:

envFrom:

- secretRef:

name: mendix-app-secrets

As of Mendix Operator 2.x, the MendixApp CR supports envFrom and env.valueFrom.secretKeyRef natively so ESO is the cleanest fit with no custom patching needed. Alternatively use the AWS Secrets Store CSI driver and mount secrets as a volume with an init container.