Secrets

# Create a store (with optional egress restrictions)
oc secret-store create --name my-secrets --egress-allowlist api.anthropic.com

# List stores
oc secret-store list

# Update a store
oc secret-store update <store-id> --egress-allowlist api.anthropic.com,*.openai.com

# Delete a store (and all its secrets)
oc secret-store delete <store-id>

# Set a secret
oc secret set <store-id> ANTHROPIC_API_KEY sk-ant-...

# Set from stdin
echo "sk-ant-..." | oc secret set <store-id> ANTHROPIC_API_KEY --from-stdin

# Restrict a secret to specific hosts
oc secret set <store-id> ANTHROPIC_API_KEY sk-ant-... --allowed-hosts api.anthropic.com

# List secrets (names only — values are never returned)
oc secret list <store-id>

# Delete a secret
oc secret delete <store-id> ANTHROPIC_API_KEY

# Create a sandbox with a secret store
oc create --secret-store my-secrets

# Env vars are sealed — real values are never in the VM
oc exec <sandbox-id> -- echo '$ANTHROPIC_API_KEY'
# osb_sealed_7f3a9c... (not the real key)