Secrets

A good runtime secret option (thus avoiding exposing them in the nix store) is loading values with vals. A minimal example, using the file provider, might look like

    default.nix
    
{ kubenix ? import ../../../.. }:
kubenix.evalModules.${builtins.currentSystem} {
  module = { kubenix, ... }: {
    imports = [ kubenix.modules.k8s ];
    kubernetes.resources.secrets.example.stringData = {
      password = "ref+file:///path/to/secret";
    };
  };
}
NOTE: The creation of /path/to/secret is out of scope but we recommend checking out one of the secret managing schemes.

Then it’s up to you when and where to apply from with something along the lines of:

pkgs.writeShellScript "apply" ''
  cat /path/to/manifests | ${pkgs.vals}/bin/vals eval | ${pkgs.kubectl}/bin/kubectl -f -
''
Edit Edit this page