Recently they’ve introduced Berglas which has been quite nice in handling secrets. You can store things in env variables as just secret names and it “transforms” them transparently for you into real secrets at runtime. And you can keep your env vars safely in version control.

So at least one problems solved.