Thank you Jordan.
In the deck, I’ve demonstrated multiple repositories pointing to a single repository, but of course can point different clusters to different repository.
When talking about security, with this approach, each cluster holds the creds to authenticate to the Git repo that it’s synced with.
You can encrypt those creds (e.g. sealed secrets, SOPS) and also limit those creds to specific actions on the git source side.
Is that what you’ve meant in your question?