Environment Variables¶

Every variable the app reads, grouped by purpose. Use this to build the ConfigMap (non-sensitive) and Secret (sensitive) manifests.

Required vs. optional: "Required" = app boots only if this is set. "Optional" = app boots without it but a feature is disabled or defaults are used.

Critical for boot¶

Var	Required	Where used	Notes
`RAILS_ENV`	Yes	everywhere	Set to `production`.
`RAILS_MASTER_KEY`	Yes	config/application.rb (`require_master_key = true`)	Decrypts `config/credentials/<env>.yml.enc`. App refuses to boot without it. Must be a Secret. Note: there is one `.yml.enc` per environment (development, staging, sandbox, sandbox2, production) — pick the right key per env.
`DATABASE_URL`	Recommended	Rails ActiveRecord	When set, takes precedence over `config/database.yml`'s production block. Format: `mysql2://user:pass@host:3306/oms_production`. Must be a Secret.
`REDIS_URL`	Recommended	config/initializers/sidekiq.rb and elsewhere	Format: `redis://host:6379/0`. Falls back to `Rails.application.credentials[:redis_url]` if unset.
`SECRET_KEY_BASE`	Yes (prod)	Rails	Used for signing cookies / message verifiers. Must be a Secret.

Web-tier tuning¶

Var	Default	Where
`PORT`	3000	config/puma.rb:31
`WEB_CONCURRENCY`	1 (single-mode)	config/puma.rb — set to 2–4 for clustered Puma
`RAILS_MAX_THREADS`	3	config/puma.rb:27 — also drives DB pool sizing
`PIDFILE`	unset	Leave unset in k8s (no pidfile written)
`RAILS_LOG_TO_STDOUT`	unset	Set to `1` in k8s — flips semantic_logger to JSON stdout
`RAILS_SERVE_STATIC_FILES`	unset	Set to `1` in k8s — Puma serves `/public`
`RAILS_FORCE_SSL`	unset	Set to `1` behind TLS-terminating ingress
`RAILS_ASSUME_SSL`	unset	Set to `1` so Rails trusts `X-Forwarded-Proto`
`RAILS_ALLOWED_HOSTS`	unset	CSV of hostnames the app should accept (e.g. `oms.popsockets.com,oms-internal.popsockets.com`).

Sidekiq¶

Var	Default	Where
`SIDEKIQ_SCHEDULER_ENABLED`	`false` in worker pods, `true` in the singleton scheduler pod	docker-compose.yml
`SOLID_QUEUE_IN_PUMA`	unset	Leave unset — Sidekiq is the job backend, not Solid Queue

AWS / object storage¶

Var	Default	Where
`AWS_ACCESS_KEY_ID`	unset (falls back to credentials, then to default chain)	config/initializers/aws_s3.rb, config/storage.yml
`AWS_SECRET_ACCESS_KEY`	unset (same fallback)	same
`AWS_REGION`	`us-east-1`	same
`AWS_S3_BUCKET`	falls back to `Rails.application.credentials[:s3_bucket]`	config/storage.yml

Preferred in k8s: don't set the access key envs. Use IRSA (EKS) / Azure Workload Identity (AKS) and let aws-sdk pick up the role. The initializer is already wired to fall back to the default credential chain when access key is blank.

Datadog¶

Var	Default	Where
`DD_AGENT_HOST`	`localhost`	config/initializers/datadog.rb — set to the node's IP (DaemonSet) or leave as `localhost` (sidecar). The Datadog k8s docs cover the standard `status.hostIP` downward-API pattern.
`DD_DOGSTATSD_PORT`	`8125`	same
`DD_TRACE_ENABLED`	tracer default	Standard Datadog SDK var
`DD_APM_ENABLED`	tracer default	Standard Datadog SDK var
`APP_VERSION`	nil	Tagged on traces. Set to image tag / git sha.
`GIT_COMMIT_SHA`	nil	Same purpose.

wkhtmltopdf / imgkit¶

Var	Default	Where
`WKHTMLTOPDF_PATH`	`/usr/bin/wkhtmltopdf` (set in Dockerfile)	config/initializers/pdfkit.rb, config/initializers/imgkit.rb
`WKHTMLTOIMAGE_PATH`	`/usr/bin/wkhtmltoimage` (set in Dockerfile)	same

The image installs wkhtmltopdf from Debian and points the env vars at /usr/bin/.... No further config needed in k8s.

Feature flags / app-specific¶

Var	Default	Where
`POPTIVISM_SKU_INCREMENT`	unset	Feature flag for SKU handling — confirm with Rails team if still active.
`BULLET_RAISE`	dev/test only	Not relevant in prod.
`BRANCH`	`main`	Capistrano-only. Not needed in k8s.

Variables to drop going to k8s¶

Anything in .env.production / .env.staging etc. that points to the old Capistrano host paths.
The Capistrano-set path in :default_env (config/deploy.rb) pointing at /usr/local/rvm/gems/ruby-3.4.8/wrappers — irrelevant in containers.

Sensitive data still living in Rails encrypted credentials¶

These are not environment variables — they're decrypted from config/credentials/<env>.yml.enc using RAILS_MASTER_KEY:

database, username, password, db_host (overridden when DATABASE_URL is set)
redis_url (overridden when REDIS_URL is set)
aws_access_key, aws_secret_access_key, s3_bucket (overridden by the new AWS_* envs)
shopify_api_key, shopify_secret, shopify_deprecated_secret
postmark_api_key
Per-store SFCC client credentials are stored in DB rows (Demandware::Client model)

Long-term, infra may want all these in a real secret store (Azure Key Vault / AWS Secrets Manager) and removed from the Rails credentials file. That's a larger change — out of scope for the initial k8s lift-and-shift.