how do you handle secrets management in Kubernetes?

I'm trying to set up a new microservices architecture on GKE, and like usual, I'm hitting snags with keeping API keys, database passwords, and other sensitive stuff secure. Right now, we're using ConfigMaps, but that feels way too risky for anything super important. What are your usual go-to methods for managing secrets in Kubernetes? Do you use outside tools like HashiCorp Vault, or are the built-in Kubernetes features good enough for you?