I definitely feel this pain. Changing environment variables at works sucks. JIRA ticket and then back and forth with SRE about whether we really need it.<p>So it all goes in code and defeats the whole purpose of having the app be configurable.<p>I don't know if secret management should be part of the same system though.
We had a dynamic configuration system for much of our configuration, but it didn't play well with environment variables.<p>And environment variables are a must, because that's the easiest way to get terraform created config (via a configmap).<p>We updated the dynamic configuration system so that a config value can now be "provided by" an environment variable. This is going a long way to helping us have a much more sane single place to look to understand all our configuration.