Secrets
You can connect Nyl with various secret providers to retrieve external or encrypted data that can be used in your templates. This is useful for keeping sensitive data out of your configuration files and ensuring that they are not accidentally committed to a version control system.
Configuration
Secret providers are configured in a nyl-secrets.<ext>
file that is located in the current working directory or any of
its parent directories. Secret providers may also be defined in a Project configuration file, though
the file closer to the working directory will take precedence.
There is no "global" way to define a secrets provider, as secrets are considered project-specific.
As with other configuration file types, the file extension can be .toml
, .yaml
, or .json
.
The configuration contains any number of named secret providers. When not specified otherwise, Nyl will assume that the
provider to use is named default
. The provider to use can be overriden by passing the corresponding CLI option to
respective Nyl commands or by setting the NYL_SECRETS
environment variable.
Inspecting secret providers
You can inspect secret providers using the nyl secrets
command.
nyl secrets list List the keys for all secrets in the provider.
nyl secrets get <key> Get the value of a secret as JSON.
Templating
Secrets are made available to templates using the secrets.get()
function. The function takes a single argument, the
key of the secret to retrieve.
Example
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
stringData:
password: ${{ secrets.get("my-password") }}
Provider: Sops
Allows you to retrieve secrets from a Sops encrypted file. For a GitOps workflow, the file must be commited to the
same repository to ensure that Nyl has access to it when it is invoked as an ArgoCD Config Management plugin. You also
must have the sops
program installed.
Example
The secrets will be decoded using the sops
program, hence all the typical ways to configure Sops and how it decrypts
files apply. The path
field is relative to the location of the nyl-secrets.yaml
file.