How should I protect Helm secrets in values.yaml?

There are some Helm charts that I deploy that contain sensitive information, like DB passwords, certificates, etc. But I’d like to share the values.yaml file with the rest of the team without pushing these values to Github.

I suppose there are a few options here – I could write a script to pull the latest secrets from a secrets manager or Kubernetes secrets and inject those secrets into the values.yaml file each time I’d like to install/upgrade, I could use Terraform’s Helm provider and access the secrets as remote data sources…I’ve also seen the helm-secrets plugin, which I think writes encrypted secrets to git, but our team uses either k8s secrets or GCP’s secret manager instead of github.

The biggest priority is making the Helm charts relatively easy to deploy for the rest of the team.

How are other people handling this? Anything I should look out for?