diff --git a/tf/env/local/secrets-sql.tf b/tf/env/local/secrets-sql.tf
index d1778d6ba..540833f74 100644
--- a/tf/env/local/secrets-sql.tf
+++ b/tf/env/local/secrets-sql.tf
@@ -37,6 +37,7 @@ resource "kubernetes_secret" "sql-secrets-init-passwords" {
     "SQL_INIT_PASSWORD_API"     = base64encode(random_password.sql-passwords["api"].result)
     "SQL_INIT_PASSWORD_MW"      = base64encode(random_password.sql-passwords["mediawiki-db-manager"].result)
     "SQL_INIT_PASSWORD_BACKUPS" = base64encode(random_password.sql-passwords["backup-manager"].result)
+    "SQL_INIT_OBSERVER"         = base64encode(random_password.sql-passwords["observer"].result)
   }
 
 }
diff --git a/tf/env/local/variables.tf b/tf/env/local/variables.tf
index 46b227e5c..f33731254 100644
--- a/tf/env/local/variables.tf
+++ b/tf/env/local/variables.tf
@@ -7,6 +7,7 @@ variable "sql-passwords" {
     "api",
     "mediawiki-db-manager",
     "backup-manager",
+    "observer"
   ]
 }
 
diff --git a/tf/env/staging/kubernetes-secrets.tf b/tf/env/staging/kubernetes-secrets.tf
index 2464eea42..b45c2c58a 100644
--- a/tf/env/staging/kubernetes-secrets.tf
+++ b/tf/env/staging/kubernetes-secrets.tf
@@ -1,5 +1,5 @@
 module "wbaas2-k8s-secrets" {
-  source = "git::ssh://git@github.com/wmde/wbaas-deploy//tf//modules/k8s-secrets?ref=tf-module-k8s-secrets-3"
+  source = "../../modules-next/k8s-secrets"
   providers = {
     kubernetes = kubernetes.wbaas-2
   }
@@ -12,6 +12,7 @@ module "wbaas2-k8s-secrets" {
   sql_password_api                  = random_password.sql-passwords["staging-api"].result
   sql_password_mediawiki_db_manager = random_password.sql-passwords["staging-mediawiki-db-manager"].result
   sql_password_backup_manager       = random_password.sql-passwords["staging-backup-manager"].result
+  sql_password_observer             = random_password.sql-passwords["staging-observer"].result
   redis_password                    = random_password.redis-password.result
   recaptcha_v3_site_key             = var.recaptcha_v3_site_key
   recaptcha_v3_secret               = var.recaptcha_v3_secret
diff --git a/tf/env/staging/variables.tf b/tf/env/staging/variables.tf
index f59e84510..9fe0cead8 100644
--- a/tf/env/staging/variables.tf
+++ b/tf/env/staging/variables.tf
@@ -35,6 +35,7 @@ variable "sql-passwords" {
     "staging-api",
     "staging-mediawiki-db-manager",
     "staging-backup-manager",
+    "staging-observer"
   ]
 }
 
diff --git a/tf/modules-next/k8s-secrets/main.tf b/tf/modules-next/k8s-secrets/main.tf
new file mode 100644
index 000000000..40b2bcb70
--- /dev/null
+++ b/tf/modules-next/k8s-secrets/main.tf
@@ -0,0 +1,189 @@
+resource "kubernetes_secret" "smtp-credentials" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name      = "smtp-credentials"
+    namespace = each.value
+  }
+
+  data = {
+    "username" = var.smtp_username
+    "password" = var.smtp_password
+  }
+}
+
+moved {
+  from = kubernetes_secret.smtp-credentials
+  to   = kubernetes_secret.smtp-credentials["default"]
+}
+
+# Deprecated per https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#example-usage-save-key-in-kubernetes-secret---deprecated
+# but will do for now...
+resource "kubernetes_secret" "api-serviceaccount" {
+  metadata {
+    name = "api-serviceaccount"
+  }
+  data = {
+    "key.json" = base64decode(var.google_service_account_key_api)
+  }
+}
+
+# Deprecated per https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#example-usage-save-key-in-kubernetes-secret---deprecated
+# but will do for now...
+resource "kubernetes_secret" "clouddns-dns01-solver-svc-acct" {
+  metadata {
+    name      = "clouddns-dns01-solver-svc-acct"
+    namespace = "cert-manager"
+  }
+  data = {
+    "key.json" = base64decode(var.google_service_account_key_dns)
+  }
+}
+
+# Used by the sql service for initial setup
+resource "kubernetes_secret" "sql-secrets-passwords" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name = "sql-secrets-passwords"
+    # TODO default? or staging?
+    namespace = each.value
+  }
+
+  binary_data = {
+    "mariadb-root-password"        = base64encode(var.sql_password_root)
+    "mariadb-replication-password" = base64encode(var.sql_password_replication)
+  }
+}
+
+moved {
+  from = kubernetes_secret.sql-secrets-passwords
+  to   = kubernetes_secret.sql-secrets-passwords["default"]
+}
+
+# Used by the init script on sql services for user and permissions setup
+resource "kubernetes_secret" "sql-secrets-init-passwords" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name = "sql-secrets-init-passwords"
+    # TODO default? or staging?
+    namespace = each.value
+  }
+
+  binary_data = {
+    "SQL_INIT_PASSWORD_API"     = base64encode(var.sql_password_api)
+    "SQL_INIT_PASSWORD_MW"      = base64encode(var.sql_password_mediawiki_db_manager)
+    "SQL_INIT_PASSWORD_BACKUPS" = base64encode(var.sql_password_backup_manager)
+    "SQL_INIT_OBSERVER"         = base64encode(var.sql_password_observer)
+  }
+
+}
+
+moved {
+  from = kubernetes_secret.sql-secrets-init-passwords
+  to   = kubernetes_secret.sql-secrets-init-passwords["default"]
+}
+
+# Used by the sql service for initial setup
+resource "kubernetes_secret" "redis-password" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name = "redis-password"
+    # Default NS for staging?
+    namespace = each.value
+  }
+
+  data = {
+    "password" = var.redis_password
+  }
+
+}
+
+moved {
+  from = kubernetes_secret.redis-password
+  to   = kubernetes_secret.redis-password["default"]
+}
+
+resource "kubernetes_secret" "recaptcha-v3-secrets" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name      = "recaptcha-v3-secrets"
+    namespace = each.value
+  }
+
+  data = {
+    "site_key"   = var.recaptcha_v3_site_key,
+    "secret_key" = var.recaptcha_v3_secret
+  }
+}
+
+moved {
+  from = kubernetes_secret.recaptcha-v3-secrets
+  to   = kubernetes_secret.recaptcha-v3-secrets["default"]
+}
+
+resource "kubernetes_secret" "recaptcha-v2-secrets" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name      = "recaptcha-v2-secrets"
+    namespace = each.value
+  }
+
+  data = {
+    "site_key"   = var.recaptcha_v2_site_key,
+    "secret_key" = var.recaptcha_v2_secret
+  }
+}
+
+moved {
+  from = kubernetes_secret.recaptcha-v2-secrets
+  to   = kubernetes_secret.recaptcha-v2-secrets["default"]
+}
+
+resource "kubernetes_secret" "api-passport-keys" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name = "api-passport-keys"
+    # TODO assuming default is staging
+    namespace = each.value
+  }
+
+  binary_data = {
+    "oauth-public.key"  = base64encode(var.api_passport_public_key)
+    "oauth-private.key" = base64encode(var.api_passport_private_key)
+  }
+
+}
+
+moved {
+  from = kubernetes_secret.api-passport-keys
+  to   = kubernetes_secret.api-passport-keys["default"]
+}
+
+resource "kubernetes_secret" "api-app-secrets" {
+  for_each = toset(var.mediawiki_secret_namespaces)
+  metadata {
+    name      = "api-app-secrets"
+    namespace = each.value
+  }
+
+  data = {
+    "api-app-key"        = var.api_app_key
+    "api-app-jwt-secret" = var.api_app_jwt_secret
+  }
+}
+
+moved {
+  from = kubernetes_secret.api-app-secrets
+  to   = kubernetes_secret.api-app-secrets["default"]
+}
+
+# Used by the wbaas-backup pod/job
+resource "kubernetes_secret" "backup-openssl-key" {
+  metadata {
+    name      = "backup-openssl-key"
+    namespace = "default"
+  }
+
+  data = {
+    "key" = var.logical_backup_openssl_secret
+  }
+}
diff --git a/tf/modules-next/k8s-secrets/providers.tf b/tf/modules-next/k8s-secrets/providers.tf
new file mode 100644
index 000000000..ab3ee109a
--- /dev/null
+++ b/tf/modules-next/k8s-secrets/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.5.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tf/modules-next/k8s-secrets/variables.tf b/tf/modules-next/k8s-secrets/variables.tf
new file mode 100644
index 000000000..2bd5d30ee
--- /dev/null
+++ b/tf/modules-next/k8s-secrets/variables.tf
@@ -0,0 +1,116 @@
+variable "smtp_username" {
+  type        = string
+  description = "Username for SMTP server"
+}
+
+variable "smtp_password" {
+  type        = string
+  description = "Password for SMTP server"
+  sensitive   = true
+}
+
+variable "google_service_account_key_api" {
+  type        = string
+  description = "google service account key for use in the api application"
+  sensitive   = true
+}
+
+variable "google_service_account_key_dns" {
+  type        = string
+  description = "google service account key for use by cert-manager to alter DNS records"
+  sensitive   = true
+}
+
+variable "sql_password_root" {
+  type        = string
+  description = "SQL root password for staging cluster"
+  sensitive   = true
+}
+variable "sql_password_replication" {
+  type        = string
+  description = "SQL replication password for staging cluster"
+  sensitive   = true
+}
+
+variable "sql_password_api" {
+  type        = string
+  description = "SQL platform api password for staging cluster"
+  sensitive   = true
+}
+
+variable "sql_password_mediawiki_db_manager" {
+  type        = string
+  description = "SQL mediawiki db manager password for staging cluster"
+  sensitive   = true
+}
+
+variable "sql_password_backup_manager" {
+  type      = string
+  sensitive = true
+}
+
+variable "sql_password_observer" {
+  type      = string
+  sensitive = true
+}
+
+variable "redis_password" {
+  type        = string
+  description = "redis password for staging cluster"
+  sensitive   = true
+}
+
+variable "recaptcha_v3_site_key" {
+  type        = string
+  description = "recaptcha_v3_site_key for the environment"
+}
+variable "recaptcha_v3_secret" {
+  type        = string
+  description = "recaptcha_v3_secret for the environment"
+  sensitive   = true
+}
+variable "recaptcha_v2_site_key" {
+  type        = string
+  description = "recaptcha_v2_site_key for the environment"
+}
+variable "recaptcha_v2_secret" {
+  type        = string
+  description = "recaptcha_v2_secret for the environment"
+  sensitive   = true
+}
+
+variable "api_passport_public_key" {
+  type        = string
+  description = "Laravel Passport OAuth Public Key for staging cluster"
+}
+
+variable "api_passport_private_key" {
+  type        = string
+  description = "Laravel Passport OAuth Private Key for staging cluster"
+  sensitive   = true
+}
+
+variable "api_app_key" {
+  type        = string
+  description = "Laravel API App Key"
+  sensitive   = true
+}
+
+variable "api_app_jwt_secret" {
+  type        = string
+  description = "Laravel API App JWT Secret"
+  sensitive   = true
+}
+
+variable "logical_backup_openssl_secret" {
+  type        = string
+  description = "Key to encrypt backup tarballs"
+  sensitive   = true
+}
+
+variable "mediawiki_secret_namespaces" {
+  type        = list(string)
+  description = "The namespaces to make mediawiki secrets available in"
+  sensitive   = false
+  default     = ["default"]
+}