Manage secrets
You can bootstrap your MCP server with additional environment variables that the MCP server needs to run properly. These environment variables are typically defined in an .env
file.
You can use the kmcp secret
command to store these environment variables in a Kubernetes secret and to automatically configure the MCP server to mount that secret during the MCP server deployment.
The name and namespace of the Kubernetes secret that you want to create is defined in the kmcp.yaml
file of your project.
Prerequisites
- Create a FastMCP or MCP Go project with a sample MCP server and tool.
- Install the kmcp controller in a local kind cluster to manage the lifecycle of MCP servers in your cluster.
Store environment variables in a Kubernetes secret
-
Review the
kmcp.yaml
configuration of your MCP project. The defaultkmcp.yaml
file includes asecrets
section that defines multiple environments, such asstaging
,production
, andlocal
. Each environment defines the name and the namespace of the Kubernetes secret that you want to use. Note that all environments are currently disabled.cat my-mcp-server/kmcp.yamlExample output:
name: my-mcp-serverframework: fastmcp-pythonversion: 0.1.0description: MCP server built with fastmcp-pythonsecrets:local:enabled: falseprovider: envfile: .env.localproduction:enabled: falseprovider: kubernetessecretName: my-mcp-server-secrets-productionnamespace: defaultstaging:enabled: falseprovider: kubernetessecretName: my-mcp-server-secrets-stagingnamespace: default -
Enable the staging environment by setting the
secret.staging.enabled
field totrue
. You can optionally change the name and namespace of the Kubernetes secret that you want to use with your MCP server. However, keep in mind that the secret must be in the same namespace where the MCP server is deployed....secrets:local:enabled: falseprovider: envfile: .env.localproduction:enabled: falseprovider: kubernetessecretName: my-mcp-server-secrets-productionnamespace: defaultstaging:enabled: trueprovider: kubernetessecretName: my-mcp-server-secrets-stagingnamespace: default -
Create an
.env.staging
file in your MCP project that defines additional environment variables that you want to provide to your MCP server.cat << EOF > my-mcp-server/.env.staging# .env.stagingAPI_KEY=your-api-key-hereDATABASE_URL=postgresql://user:pass@host:5432/dbEOF -
Create the Kubernetes secret in your kind cluster by using the secret defintion from the
kmcp.yaml
file and the environment variables from the.env.staging
file. Note that this step is not required when you plan to run your MCP server locally only.kmcp secrets sync staging --from-file my-mcp-server/.env.staging --project-dir my-mcp-server -
Verify that the Kubernetes secret is created and that you can see the base64-encoded environment variables that you defined earlier.
kubectl get secret my-mcp-server-secrets-staging -o yamlExample output:
apiVersion: v1data:API_KEY: eW91ci1hcGkta2V5LWhlcmU=DATABASE_URL: cG9zdGdyZXNxbDovL3VzZXI6cGFzc0Bob3N0OjU0MzIvZGI=kind: Secretmetadata:name: my-mcp-server-secrets-stagingnamespace: defaultresourceVersion: "10819"uid: 85...type: Opaque
Deploy the MCP server with your secret
-
Build a Docker image for your MCP server and load it to your kind cluster.
kmcp build --project-dir my-mcp-server -t my-mcp-server:latest --kind-load-cluster kind -
Deploy your MCP server and bootstrap it with the Kubernetes secret of the staging environment.
kmcp deploy --environment staging --file my-mcp-server/kmcp.yaml --no-inspector --image my-mcp-server:latest -
Verify that your server is up and running.
kubectl get pods -
Get the details of the
my-mcp-server
deployment. Verify that you see the reference to your Kubernetes secret in thespec.containers.envFrom
section.kubectl get deployment my-mcp-server -o yamlExample output:
...template:metadata:creationTimestamp: nulllabels:app.kubernetes.io/instance: my-mcp-serverapp.kubernetes.io/managed-by: kmcpapp.kubernetes.io/name: my-mcp-serverspec:containers:...envFrom:- secretRef:name: my-mcp-server-secrets-stagingimage: my-mcp-server:latest...