Skip to main content

Using Kubernetes Secrets with LinearB (MCP & Sensors)

Kubernetes Secrets Support LinearB components (MCP server and sensors) can now use Kubernetes Secrets to securely store and reference API tokens or credentials. This enhancement helps teams follow Kubernetes best practices for secret management, reducing the risk of credential exposure while simplifying configuration.

Steven Silverstone
Updated by Steven Silverstone

Securely provide tokens and credentials to LinearB components (like the MCP server and sensors) by storing them in Kubernetes Secrets instead of hard‑coding values in config files.

Why use Secrets?

  • Avoid credentials in plain text YAML/JSON.
  • Centralize credential rotation.
  • Leverage Kubernetes RBAC and audit controls.

Prerequisites

  • A Kubernetes cluster and kubectl access.
  • A valid LinearB API token (for MCP) or sensor credentials as required by your deployment.
  • (If using Claude Code with MCP) the claude CLI available in the environment where you will run the command.

1. Create a Kubernetes Secret

Create a generic Secret with your LinearB token.

kubectl create secret generic linearb-secret \
  --from-literal=LINEARB_API_TOKEN=<your-api-key>

Good practices

  • Use a descriptive name per environment, e.g., linearb-secret-prod.
  • Prefer --from-file when rotating tokens via CI/CD (store the token in a file artifact).

Inject the token into a Pod/Deployment and reference it from your startup command or config.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: linearb-mcp
spec:
  replicas: 1
  selector:
    matchLabels: { app: linearb-mcp }
  template:
    metadata:
      labels: { app: linearb-mcp }
    spec:
      containers:
        - name: mcp
          image: <your-image>
          env:
            - name: LINEARB_API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: linearb-secret
                  key: LINEARB_API_TOKEN
          # Example entrypoint/args
          args:
            - "sh"
            - "-lc"
            - |
              claude mcp add --transport http linearb https://mcp.linearb.io/mcp \
                --header "x-api-key: ${LINEARB_API_TOKEN}" && \
              exec your-app

This pattern keeps the token out of your manifests and passes it at runtime.

3. Use the Secret as a Mounted File (alternative)

Some teams prefer file mounts for compatibility with existing scripts.

kubectl create secret generic linearb-secret \
  --from-literal=api-token=<your-api-key>
volumeMounts:
  - name: linearb-secret-vol
    mountPath: /var/run/secrets/linearb
    readOnly: true
volumes:
  - name: linearb-secret-vol
    secret:
      secretName: linearb-secret

Your container can then read /var/run/secrets/linearb/api-token and inject it into the command:

TOKEN=$(cat /var/run/secrets/linearb/api-token)
claude mcp add --transport http linearb https://mcp.linearb.io/mcp --header "x-api-key: ${TOKEN}"

4. Helm Values Example (pattern)

If you deploy via Helm, expose a values section to map Secrets to env vars.

# values.yaml
image: your-image
secretRef:
  name: linearb-secret
  key: LINEARB_API_TOKEN

extraEnv:
  - name: LINEARB_API_TOKEN
    valueFrom:
      secretKeyRef:
        name: {{ .Values.secretRef.name }}
        key: {{ .Values.secretRef.key }}

Then template extraEnv into your chart’s container spec.

Security Notes

  • Grant minimal RBAC to workloads that read linearb-secret.
  • Avoid echoing the token in logs; prefer env interpolation.
  • Use separate Secrets per environment and rotate on schedule.

Troubleshooting

  • 401/403 errors: ensure the token in the Secret is valid and mapped to the correct env var name.
  • Pod can’t read Secret: check namespace and RBAC (ServiceAccount, Role/RoleBinding).
  • CLI not found: verify claude is installed in the container image/path.

How did we do?

Supported Languages in AI Code Review

Contact