Skip to main content

Overview

Niro can manage Kubernetes ConfigMap and Secret resources for a connected cluster. Use this when an app needs runtime configuration, credentials, API keys, webhook URLs, or feature flags that should exist in the cluster before the app starts.
ResourceUse forVisibility
ConfigMapNon-sensitive app configurationValues are shown in the dashboard
SecretPasswords, tokens, webhook URLs, private keysValues are encrypted at rest and redacted after save
Do not put sensitive values in a ConfigMap. Use a Secret for credentials and tokens.

Prerequisites

  • A cluster connected to Niro
  • The apply capability enabled on that cluster
Enable apply by re-running the installer: 
curl -fsSL https://get.niro.cx/install.sh | NIRO_ENABLE_APPLY=1 sh
The capability appears in the dashboard after the next agent heartbeat, usually within 15 seconds.

Create a ConfigMap or Secret

  1. Open Clusters in the Niro dashboard.
  2. Select the cluster.
  3. Open the Config panel.
  4. Choose ConfigMap or Secret.
  5. Enter the namespace, name, and key-value pairs.
  6. Click Create ConfigMap or Create Secret.
Niro applies the resource to the selected namespace and shows its status. If the namespace does not exist, Niro can create it. Namespace deletion is never performed by Niro.

Reference from an app

After the resource exists, reference it from the Visual Builder in the app’s Secrets section. Use envFrom when the container should receive every key: 
envFrom:
  - configMapRef:
      name: app-config
  - secretRef:
      name: app-secrets
Use secretKeyRef or configMapKeyRef when the container should receive one key under a specific environment variable name: 
env:
  - name: DATABASE_URL
    valueFrom:
      secretKeyRef:
        name: app-secrets
        key: DATABASE_URL
The app and the referenced Secret or ConfigMap must be in the same namespace.

Update values

  1. Open the cluster’s Config panel.
  2. Select ConfigMap or Secret.
  3. Click Edit on the resource.
  4. Change keys or values.
  5. Click Save changes.
Secret values are redacted after save. Leave a redacted value unchanged to preserve it, or replace it with a new value to rotate it.
Kubernetes does not restart pods automatically when environment variables from a Secret or ConfigMap change. Restart or redeploy the workload if the app reads those values only at startup.

Delete a resource

  1. Open the cluster’s Config panel.
  2. Select ConfigMap or Secret.
  3. Click Delete on the resource.
  4. Confirm the deletion.
Niro deletes the named resource from the target namespace and stops tracking it. Before deleting, make sure no active workload still references it. New pods may fail to start if they reference a missing Secret or ConfigMap.

GitOps and direct management

Config resources managed from the cluster Config panel are applied directly to the cluster. They are not committed to your Git repo. If you want Git to be the source of truth for a ConfigMap or Secret, manage that resource in your repository instead. For sensitive values, avoid committing plaintext secret values to Git.

Required permissions

The apply capability grants Niro permission to create, update, patch, and delete the namespaced resources it manages, including ConfigMap and Secret resources. It can create and patch namespaces, but it never deletes namespaces. If create or delete fails with a Kubernetes permission error, re-run the installer with apply enabled: 
curl -fsSL https://get.niro.cx/install.sh | NIRO_ENABLE_APPLY=1 sh
Last modified on June 12, 2026