004 - Secrets Syncing
Automatically sync customer secrets into Kubernetes
May 10th, 2025
Customer Secrets
Customer input secrets can be defined in your secrets.toml
config. This allows you to define secrets that need to be
added by users when provisioning an install via the CloudFormation stack.
You can define a secret with the following config:
Templating can be used on any field, allowing you to dynamically namespace secrets and other things. Since secrets are synced before components are
required
secrets will cause the CloudFormation Stack to fail, if not added.Auto Generated Secrets
You can automatically generate a secret value by adding the auto_generate: true
field.
For instance, to create a unique value that is configured in your cluster:
Automatic Syncing
You can automatically sync secrets into your sandbox kubernetes cluster by adding the kubernetes_sync: true
value to
your config.
Syncing can be disabled via your config, and requires that correct permissions are enabled for the Provision role
in your permissions.toml
.
Outputs
You can use the outputs of a synced secret using the {{.nuon.secrets}}
template. The values
If you do not see your secrets in {{.nuon.secrets}}
, it means you do not have syncing on. You can reference the
source ARN directly using {{.nuon.install_stack.outputs}}
.
If you are having trouble working with your state, we recommend adding it directly to your readme using the following block.
Life Cycle
Currently secrets are synced on Provision
, Reprovision
and ReprovisionSandbox
workflows.
Fixes
- Fixed an issue where terraform state was attempted to be displayed on all component types.
- Fixed a bug with dependency ordering.