Skip to content

Argo Workflows Default Env Quick Fix - Global Environment Variables

DodaTech Updated 2026-06-26 1 min read

Argo Workflows default environment variables can be injected globally or per template. Incorrect env configuration causes missing dependencies or secret exposure. This guide covers the fix.

Quick Fix

Wrong

config: |
  executor:
    env:
    - name: DATABASE_URL
      value: postgres://user:password@localhost/db

Hardcoding sensitive credentials in controller ConfigMap exposes them to all workflow pods and anyone with ConfigMap access. This is a security risk.

config: |
  executor:
    env:
    - name: DATABASE_URL
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: url
    - name: LOG_LEVEL
      value: info
# Expected output after applying the fix
# DATABASE_URL injected from Kubernetes secret
# LOG_LEVEL set to "info" for all workflow pods
# No credentials exposed in ConfigMap
# Environment variables available in all templates

Prevention

  • Use valueFrom.secretKeyRef for sensitive environment variables
  • Limit global env vars to non-sensitive configuration
  • Override global env vars at the template level when needed
  • Document all global environment variables
  • Audit global env vars regularly for security Compliance

DodaTech Tools

Doda Browser's env inspector shows all environment variables across workflow templates. DodaZIP archives env configurations for security reviews. Durga Antivirus Pro detects hardcoded secrets in workflow configurations.

FAQ

Can I override a global env var in a specific template?

Yes, template-level env overrides global env vars. Set a different value in the template's environment variables to override the global default. ||| How do I list all default environment variables? Check the workflow controller ConfigMap under executor.env or inspect the Argo server startup logs which log the effective configuration. ||| Do default env vars apply to all containers in the workflow? Yes, global env vars defined in the controller config are injected into all step containers, daemons, and init containers within the workflow pod.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro