Secrets

A good runtime secret option (thus avoiding exposing them in the nix store) is loading values with vals. A minimal example, using the file provider, might look like

    default.nix
    
{ kubenix ? import ../../../.. }:
kubenix.evalModules.${builtins.currentSystem} {
  module = { kubenix, ... }: {
    imports = [ kubenix.modules.k8s ];
    kubernetes.resources.secrets.example.stringData = {
      password = "ref+file:///path/to/secret";
    };
  };
}
**NOTE**: The creation of `/path/to/secret` is out of scope but we recommend checking out one of the [secret managing schemes](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes).

Then it’s up to you when and where to apply from with something along the lines of:

pkgs.writeShellScript "apply" ''
  cat /path/to/manifests | ${pkgs.vals}/bin/vals eval | ${pkgs.kubectl}/bin/kubectl -f -
''