[feature] Secrets stored in omni

[punasusi]

Problem Description

I would like to store secrets in omni which can be used as part of a cluster template, but not shared or exposed, only added when Omni compiles the template.

Solution

Similar to GitHub Actions secrets, this could be an add only (no view) secret, and a reference which can be rendered when clusters are deployed. This would allow initial bootstrap secrets (for example to get ExternalSecrets connected and working) in a new cluster, and still not have them visible in cluster templates or patch config screens.

Alternative Solutions

I don't see this as a replacement for External Secrets, but a method to give External Secrets and Tailscale the secrets needed to bootstrap a cluster.

Notes

I'm trying to use clusters almost exclusively ephemerally, so bootstrapping a cluster is a multiple times per day occurance. Removing the need to have secrets in plain text would be very much appreciated.

[judahrand]

It would be great to also be able to deploy these secrets via omnictl. If that were possible then they could live, encrypted, in the same repo which defines the cluster template and be decrypted and deployed as part of CI/CD.