Kubernetes stores secrets as base64 encoded string in the template secrets.yaml file. When a pod is created and the secret is mounted then Kubernetes make sure to mount secret as plain text so that the application can use it.

Ideally on production; you will never use serets.yaml bcz you don’t want to expose your secrets. The best way is to manually use kubectl and add secrets.