Keeping OIDC client_secret out of git

[Darren Boss]

For our IdP configuration we keep everything in a git repository which
gets cloned when the IdP starts up with the exception for secrets
which so far I've been able to load from a different source
(Kubernetes secrets) but I'm having a hard time coming up with a
solution for the OIDC metadata.

Is anyone doing something similar and come up with a solution? So far
I'm only using trusted RPs backed by metadata in the filesystem. I
would like to get the client_secret out of the metadata files and
stored somewhere else. It could be another file on the filesystem
which allows me to load it from another source.
-- 
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
darren.boss at computecanada.ca