[Users] suggestion on managing secrets like aws-secret

I'm trying to adopt the opendatahub/kubeflow operator with kustomize to provisioning components like Hive/Trino, but one common requirement for running production system is credential management. what's the general suggestion on managing credentials required by opendatahub? k8s secrets? For example: https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw... I'd prefer not to manage credential in code via kustomize. It's ok by using environment variable plus kustomize secret generator, but it won't work if it's the operator pull then provisioning the opendatahub via kfctl/kustomize.