Skip to main content
Secret management in Noxus is designed to separate platform-level infrastructure credentials from workspace-specific runtime secrets.

What Belongs In Secrets

  • Infrastructure: Database and Redis credentials, storage access keys.
  • Identity: Auth provider (OIDC/SAML) client secrets and signing keys.
  • AI Providers: Global API keys for model providers (OpenAI, Anthropic, etc.).
  • Integrations: Credentials for third-party tools used across the platform.

Common Secret Backends

Noxus supports several backends for storing and injecting secrets depending on your deployment model.
Native Secrets & External Secret Operators
  • Store values in Kubernetes Secrets within the relevant namespaces.
  • Inject via envFrom for all services or explicit secretKeyRef for specific containers.
  • Support for External Secrets Operator to sync from AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault.

Secret Injection Strategies

Noxus allows for granular control over where secrets are exposed within the platform architecture.

Global Platform Secrets

These are injected into all services (Frontend, Backend, Workers, Beat).
  • Use Case: Database connection strings, Redis URLs, and core authentication secrets.
  • Implementation: Defined in the primary Helm values or the main /env.vm file.

Worker-Only Secrets

Inject secrets exclusively into the Noxus Workers.
  • Use Case: Proprietary API keys for custom nodes, database strings for specific ETL flows, or credentials for internal tools.
  • Benefit: Limits the “blast radius” by ensuring the web-facing frontend and backend never have access to these sensitive runtime credentials.

Pool-Specific Secrets (Kubernetes)

For advanced isolation, secrets can be injected into specific worker pools.
  • Use Case: A “Finance” worker pool that needs access to a secure banking API, while the “General” pool does not.
  • Implementation: Configured under the worker.pools[].extraEnv or worker.pools[].extraSecretMounts in the Helm chart.

Rotation & Security Guidelines

  • Regular Rotation: Rotate high-risk credentials (like API keys) on a 30-90 day schedule.
  • Least Privilege: Only inject secrets into the specific services or worker pools that require them.
  • Automated Reloads: In Kubernetes, use tools like reloader to automatically restart pods when their underlying secrets are updated.

Kubernetes Guide

Learn how to configure pool-specific secrets in K8s.

Security Architecture

Understand the broader security context of the platform.