It’s up to you to decide if you want to inject your secrets as environment variables or mount a volume, but keep in mind that putting sensitive data in environment variables may have unintended consequences. It’s not uncommon for applications to dump all the environment variables when they crash, outputting everything for error reporting, which could expose some sensitive information. For example, we could be shipping our logs to a third party provider that would gladly receive our database credentials. Environment variables are also inherited by child processes that our container can create. So depending on what we are running, we may not want that to happen.