Hashicorp Vault + Vault Config Operator + external-secrets.
I have a simple chart that can add credentials to different apps which mostly gets used in argocd with its multichart functionality.
A simple bash script to create the vault policies, which use the k8s back end to allow auth.