A good runtime secret option (thus avoiding exposing them in the nix store) is loading values with vals. A minimal example, using the file provider, might look like
default.nix
{ kubenix ? import ../../../.. }:
kubenix.evalModules.${builtins.currentSystem} {
module = { kubenix, ... }: {
imports = [ kubenix.modules.k8s ];
kubernetes.resources.secrets.example.stringData = {
password = "ref+file:///path/to/secret";
};
};
}
**NOTE**: The creation of `/path/to/secret` is out of scope but we recommend checking out one of the [secret managing schemes](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes).
Then it’s up to you when and where to apply from with something along the lines of:
pkgs.writeShellScript "apply" ''
cat /path/to/manifests | ${pkgs.vals}/bin/vals eval | ${pkgs.kubectl}/bin/kubectl -f -
''