Features / Secrets

Bring any secret store.

API keys, tokens, and credentials live behind one Secrets service. The default install ships OpenBao so you have a working KMS the moment the chart deploys. Plug in HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, or any backend your security team already operates.

Demo coming soon

Read-only at the workload edge.

Workers never hold long-lived credentials. They authenticate to the Secrets service using their Kubernetes service account, fetch a scoped, short-lived secret, and expose it in memory for the duration of the run. When the pod finishes, the secret is gone with it. Per-agent scoping, audit per-run, revocable any time.

Related features

Kubernetes NativeRuns on any Kubernetes cluster, anywhereLearn more Agent AgnosticAny model, any framework, any providerLearn more StorageS3, GCS, MinIO, or any S3-compatible storeLearn more

Ready to deploy?

Install Nightshift into your own cluster with a single Helm chart.

Star on GitHub Get in touch