diff --git a/.gitignore b/.gitignore
index aa1ec1e..7bd3ca8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 *.tgz
+
+secrets/
diff --git a/deploy/Makefile b/deploy/Makefile
new file mode 100644
index 0000000..1177750
--- /dev/null
+++ b/deploy/Makefile
@@ -0,0 +1,11 @@
+.PHONY: dev prod
+
+dev:
+	@kubectl kustomize --enable-helm dev
+
+prod: load-prod-env
+	@kubectl kustomize --enable-helm prod | envsubst
+
+load-prod-env:
+	$(eval include prod/secrets/env)
+	$(eval export)
diff --git a/deploy/prod/secrets/README.md b/deploy/prod/secrets/README.md
new file mode 100644
index 0000000..54cb482
--- /dev/null
+++ b/deploy/prod/secrets/README.md
@@ -0,0 +1,7 @@
+# Secrets
+
+TODO: find a way to encrypt these secrets at rest on dev machine.
+
+### exporter-password
+
+The basic auth password required to access node-exporter endpoints. See ansible-vault.
diff --git a/deploy/prod/secrets/env.example b/deploy/prod/secrets/env.example
new file mode 100644
index 0000000..b735602
--- /dev/null
+++ b/deploy/prod/secrets/env.example
@@ -0,0 +1,2 @@
+NETFLUX_PRIVATE_IP=1.2.3.4
+POSTGRESQL_IP=1.2.3.4