Thanks for suggesting kubernetes-credentials-provider. The way I understand it, it "creates" the credentials at the time they are being used in the pipeline code. Any way to use it for system config or from non-pipeline jobs?
Using an init container?
It is not the problem to intercept container creation, but adding another layer of processing between container creation and JCasC execution. As there does not seem to be a way to get JCasC to do the encoding of individual variable value, it either have do be baked in to container build (so the automation that creates container needs to be aware which secrets happens to be later used as file type secrets which wires things I am glad that are separate) or done somehow inbetween.
I like the idea of using CredentialsProvider to implement JCasC only credentials (that would be safe to read from filesystem, I presume), though that would impose changes to JCasC format (I understood it will not be in system store anymore). Meaning, all credentials are ok to be in system section, but the one that refers to master FS needs to be in different section.
Thank you both for your inputs. I will dig deeper to see, which of these is reasonable feasible.