| 6 Jul 2025 |
|  Cathal changed their display name from CJ to Cathal. | 17:17:37 |
| 7 Jul 2025 |
|  OpalBolt joined the room. | 06:04:51 |
|  colemickens 🏳️🌈 left the room. | 21:51:22 |
| 9 Jul 2025 |
|  jonhermansen left the room. | 01:05:54 |
| jonhermansen joined the room. | 01:15:17 |
|  ZeroEcks joined the room. | 01:58:29 |
|  William Sewell joined the room. | 17:51:41 |
| 10 Jul 2025 |
|  Justinas joined the room. | 23:00:49 |
| 11 Jul 2025 |
|  @felix.schroeter:scs.ems.host joined the room. | 17:01:39 |
|  felschr joined the room. | 17:01:48 |
| 12 Jul 2025 |
|  plan9better joined the room. | 11:05:14 |
| 13 Jul 2025 |
|  n4ch723hr3r joined the room. | 08:46:06 |
|  Marie changed their profile picture. | 20:12:19 |
| 15 Jul 2025 |
 Daniel Ramos | Hello!
Is anyone managing Kubernetes with Nix?
I’m looking into the simplest and most secure way to handle secrets. I tried using AgeNix to deploy them, but it isn’t working for me. I also suspect this might not be best practice, since during evaluation the secret could end up embedded in the derivation generated by Nix.
What do you use to manage cluster secrets?
Thanks!
| 15:54:08 |
 magic_rb | I use openbao-agent and vault | 15:55:02 |
| magic_rb | Its hacky but it works until i put kubernetes down | 15:55:12 |
| Daniel Ramos | I'm seeing sops being used for declaring secrets: https://discourse.nixos.org/t/k3s-clusters-and-deployments-in-pure-nix/61794#p-205785-deploy-secrets-6
Then.. can I suppose that my approach with agenix is safe?
| 16:59:37 |
| Daniel Ramos | * I'm seeing sops being used for declaring secrets at the docs: https://discourse.nixos.org/t/k3s-clusters-and-deployments-in-pure-nix/61794#p-205785-deploy-secrets-6
Then.. can I suppose that my approach with agenix is safe?
| 16:59:57 |
 Zhaofeng Li |
Then.. can I suppose that my approach with agenix is safe?
No, your secrets will end up in the store
| 17:11:53 |
| Zhaofeng Li | (which might be acceptable depending on your risk model) | 17:12:13 |
| n4ch723hr3r | i'd still caution against it since you might set up a cache in the future for example and accidentialy upload some credentials | 17:18:13 |
| Zhaofeng Li | but I guess the more important issue is that reading config.age.secrets.x.path is semantically incorrect | 17:18:37 |
| Zhaofeng Li | (the path is on the target host after activation, not your host running the evaluation) | 17:18:41 |
| Daniel Ramos | I guess I'm going with sealed secrets in the end. | 17:19:00 |
| Daniel Ramos | thanks for the help 🫶🏽 | 17:19:08 |
| Daniel Ramos | Another question: does anyone know if it's possible to inject helm chart values via YAML? reading the docs, it seems that it only supports nix attribute sets? | 20:08:19 |
| Daniel Ramos | (sorry, I don't know if this is the right channel for this kind of questions) | 20:26:05 |
| Zhaofeng Li | Doesn't look easy, but you could use a derivation to parse yaml into json and then read it from Nix (import from derivation). But anyways, personally I don't like the HelmChart CRD in k3s and render everything locally so I can easily patch and check diffs before applying. I've been having fun with tanka which I recently switched to from kustomize | 20:40:34 |
| Zhaofeng Li | You don't have to use nix and k3s all the way, and half-baked abstractions can be counterproductive | 20:41:34 |
| Zhaofeng Li | Actually, you could just bypass the NixOS module altogether and emit your own HelmChart resource with valuesContent containing the yaml. But still, I personally don't use it | 20:43:36 |
