diff --git a/docs/kustomization-ordering.md b/docs/kustomization-ordering.md
index f52b4ae..d225889 100644
--- a/docs/kustomization-ordering.md
+++ b/docs/kustomization-ordering.md
@@ -7,7 +7,13 @@ Current order:
 * Cilium
 * Cert Manager
 * DigitalOcean
+* Cert Manager (again, to deploy the ClusterIssuer)
 * Ingress NGINX
 * External DNS
 * Keycloak
 * Forgejo
+
+Any secrets necessary for any of the previous Kustomizations can be generated
+via scripts in the relevant Kustomization. There should be information in the
+Kustomization's README (which may be in a `docs` subdirectory) about how to
+generate the secrets.
diff --git a/kustomizations/cert-manager/kustomization.yaml b/kustomizations/cert-manager/kustomization.yaml
index 605c130..394350d 100644
--- a/kustomizations/cert-manager/kustomization.yaml
+++ b/kustomizations/cert-manager/kustomization.yaml
@@ -6,20 +6,20 @@ resources:
 - cluster-issuer
 - namespace.yaml
 replacements:
-  - source:
-      kind: Deployment
-      name: cert-manager-webhook
-      fieldPath: metadata.namespace
-    targets:
-      - select:
-          kind: MutatingWebhookConfiguration
-        fieldPaths:
-          - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
-        options:
-          delimiter: /
-      - select:
-          kind: ValidatingWebhookConfiguration
-        fieldPaths:
-          - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
-        options:
-          delimiter: /
+- source:
+    kind: Deployment
+    name: cert-manager-webhook
+    fieldPath: metadata.namespace
+  targets:
+  - select:
+      kind: MutatingWebhookConfiguration
+    fieldPaths:
+    - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
+    options:
+      delimiter: /
+  - select:
+      kind: ValidatingWebhookConfiguration
+    fieldPaths:
+    - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
+    options:
+      delimiter: /
diff --git a/kustomizations/digitalocean/README.md b/kustomizations/digitalocean/README.md
new file mode 100644
index 0000000..8ec37de
--- /dev/null
+++ b/kustomizations/digitalocean/README.md
@@ -0,0 +1,7 @@
+# Secrets
+
+DigitalOcean's CNI and CCM, as well as a few other separate Kustomizations,
+require a DigitalOcean token and a VPC id. This can be generated by running:
+
+```
+sh kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/digitalocean-config.enc.yaml
diff --git a/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh b/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh
new file mode 100755
index 0000000..7fb03dd
--- /dev/null
+++ b/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+if test -t 1; then
+  # This is not foolproof. Can easily be beat by doing |cat. This is just to
+  # make it less likely that secrets are output to terminal.
+  echo "Error: Not outputting secret to stdout; redirect output to a file or" \
+    "pipe output to \`sops\`." >/dev/stderr
+  exit 1
+fi
+
+printf_stderr() {
+  printf "$@" > /dev/stderr
+}
+
+printf_stderr "DigitalOcean VPC ID: "
+read DO_VPC_ID
+printf_stderr "DigitalOcean Token: "
+stty -echo
+read DO_TOKEN
+stty echo
+echo > /dev/stderr
+
+cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: digitalocean
+stringData:
+  vpc-id: ${DO_VPC_ID}
+  access-token: ${DO_TOKEN}
+EOF
diff --git a/kustomizations/forgejo/docs/README.md b/kustomizations/forgejo/docs/README.md
new file mode 100644
index 0000000..52882e3
--- /dev/null
+++ b/kustomizations/forgejo/docs/README.md
@@ -0,0 +1,24 @@
+# Secrets
+
+Forgejo requires three secret keys, each protecting a specific component. They
+are generated using the Forgejo container, to ensure they are in the correct
+format. These keys can be generated by running:
+
+```sh
+sh kustomizations/forgejo/scripts/generate-forgejo-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-config.enc.yaml
+```
+
+Forgejo supports SSH but requires host keys to be pregenerated:
+
+```sh
+sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml
+```
+
+To get the database credentials, run:
+
+```sh
+sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
+```
+
+Check the Keycloak Kustomization documentation for information on generating
+a Client ID and Secret.
diff --git a/kustomizations/keycloak/docs/README.md b/kustomizations/keycloak/docs/README.md
index 3849ec8..fa836c7 100644
--- a/kustomizations/keycloak/docs/README.md
+++ b/kustomizations/keycloak/docs/README.md
@@ -9,6 +9,11 @@ To generate the admin password for Keycloak, run:
   > keycloak-config.enc.yaml
 ```
 
+To get the database credentials, run:
+
+```sh
+sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
+```
 
 # Adding Clients