| 7 Jul 2025 |
|  @colemickens:matrix.org left the room. | 21:51:22 |
| 9 Jul 2025 |
|  @jonhermansen:matrix.org left the room. | 01:05:54 |
| @jonhermansen:matrix.org joined the room. | 01:15:17 |
|  ZeroEcks joined the room. | 01:58:29 |
|  William Sewell joined the room. | 17:51:41 |
| 10 Jul 2025 |
|  Justinas joined the room. | 23:00:49 |
| 11 Jul 2025 |
|  @felix.schroeter:scs.ems.host joined the room. | 17:01:39 |
|  felschr joined the room. | 17:01:48 |
| 12 Jul 2025 |
|  plan9better joined the room. | 11:05:14 |
| 13 Jul 2025 |
|  n4ch723hr3r joined the room. | 08:46:06 |
|  Marie changed their profile picture. | 20:12:19 |
| 15 Jul 2025 |
 Daniel Ramos | Hello!
Is anyone managing Kubernetes with Nix?
I’m looking into the simplest and most secure way to handle secrets. I tried using AgeNix to deploy them, but it isn’t working for me. I also suspect this might not be best practice, since during evaluation the secret could end up embedded in the derivation generated by Nix.
What do you use to manage cluster secrets?
Thanks!
| 15:54:08 |
 magic_rb | I use openbao-agent and vault | 15:55:02 |
| magic_rb | Its hacky but it works until i put kubernetes down | 15:55:12 |
| Daniel Ramos | I'm seeing sops being used for declaring secrets: https://discourse.nixos.org/t/k3s-clusters-and-deployments-in-pure-nix/61794#p-205785-deploy-secrets-6
Then.. can I suppose that my approach with agenix is safe?
| 16:59:37 |
| Daniel Ramos | * I'm seeing sops being used for declaring secrets at the docs: https://discourse.nixos.org/t/k3s-clusters-and-deployments-in-pure-nix/61794#p-205785-deploy-secrets-6
Then.. can I suppose that my approach with agenix is safe?
| 16:59:57 |
 Zhaofeng Li |
Then.. can I suppose that my approach with agenix is safe?
No, your secrets will end up in the store
| 17:11:53 |
| Zhaofeng Li | (which might be acceptable depending on your risk model) | 17:12:13 |
| n4ch723hr3r | i'd still caution against it since you might set up a cache in the future for example and accidentialy upload some credentials | 17:18:13 |
| Zhaofeng Li | but I guess the more important issue is that reading config.age.secrets.x.path is semantically incorrect | 17:18:37 |
| Zhaofeng Li | (the path is on the target host after activation, not your host running the evaluation) | 17:18:41 |
| Daniel Ramos | I guess I'm going with sealed secrets in the end. | 17:19:00 |
