infra/k8s/matrix/secrets-init.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: secrets-init
data:
  initialize-secrets.py: |
    #!/usr/bin/python
    import os
    import sys

    for f in sys.argv[1:]:
      with open(f"/config/{f}") as r:
        c = r.read()

      for k, v in os.environ.items():
        if not k.startswith("SECRET_"):
          continue

        if v is not None:
          c = c.replace(k, v)
          print("replaced", k)

      if os.getenv("DEBUG_PRINT_SECRETS_IN_PLAINTEXT") == "i promise to rotate the secrets after I do this":
        print(c)

      with open(f"/data/{f}", 'w') as w:
        w.write(c)