This bit us too. We use goodaddy's external secrets [1] to fetch secrets from AWS secrets manager and make them available to the cluster. It polls the secret every n seconds, but with many services consuming secrets, it can scale up pretty quickly and start to build up cost.

[1] https://github.com/godaddy/kubernetes-external-secrets