Use External Secrets

helm/.gitignore

@@ -0,0 +1 @@
+charts/

helm/external-secrets/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+- name: external-secrets
+  valuesInline:
+    fullnameOverride: external-secrets # otherwise all resource names are inexplicably prefixed with "release-name-"
+    bitwarden-sdk-server:
+      enabled: false # default, bitwarden-sdk-server doesn't work with vaultwarden (https://github.com/external-secrets/bitwarden-sdk-server/issues/18)
+  namespace: external-secrets
+  version: v0.10.0
+  repo: https://charts.external-secrets.io

helm/render-all.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# Usage: from the git root directory (../ relative to this file)
+#  podman run -v $(pwd):/repo --workdir /repo/helm nixery.dev/shell/kubectl/kubernetes-helm sh -c ./render-all.sh
+set -exuo pipefail
+
+header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
+
+echo "${header}" > ../k8s/operators/external-secrets/bundle.yaml
+kubectl kustomize --enable-helm external-secrets/ >> ../k8s/operators/external-secrets/bundle.yaml