Skip to content

Secrets

You can connect Nyl with various secret providers to retrieve external or encrypted data that can be used in your templates. This is useful for keeping sensitive data out of your configuration files and ensuring that they are not accidentally committed to a version control system.

Configuration

Secret providers are configured in a nyl-secrets.<ext> file that is located in the current working directory or any of its parent directories. Secret providers may also be defined in a Project configuration file, though the file closer to the working directory will take precedence.

There is no "global" way to define a secrets provider, as secrets are considered project-specific.

As with other configuration file types, the file extension can be .toml, .yaml, or .json.

The configuration contains any number of named secret providers. When not specified otherwise, Nyl will assume that the provider to use is named default. The provider to use can be overriden by passing the corresponding CLI option to respective Nyl commands or by setting the NYL_SECRETS environment variable.

Inspecting secret providers

You can inspect secret providers using the nyl secrets command.

nyl secrets list            List the keys for all secrets in the provider.
nyl secrets get <key>       Get the value of a secret as JSON.

Templating

Secrets are made available to templates using the secrets.get() function. The function takes a single argument, the key of the secret to retrieve.

Example

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
stringData:
  password: ${{ secrets.get("my-password") }}

Provider: Sops

Allows you to retrieve secrets from a Sops encrypted file. For a GitOps workflow, the file must be commited to the same repository to ensure that Nyl has access to it when it is invoked as an ArgoCD Config Management plugin. You also must have the sops program installed.

Example

nyl-secrets.toml
[default]
type = "sops"
path = "../secrets.yaml"
nyl-secrets.yaml
default:
  type: sops
  path: ../secrets.yaml
nyl-secrets.json
{
  "default": {
    "type": "sops",
    "path": "../secrets.yaml"
  }
}

The secrets will be decoded using the sops program, hence all the typical ways to configure Sops and how it decrypts files apply. The path field is relative to the location of the nyl-secrets.yaml file.