Currently in the official document Create an Application Accelerator Git repository during project creation , it only has the method to set clientId & clientSecret in clear text but sometimes customers would like to use a secret to store the credential information. 

auth:
 environment: development
 providers:
   github:
     development:
       clientId: GITHUB-CLIENT-ID
       clientSecret: GITHUB-CLIENT-SECRET

So how can we use the secret to store clientId & clientSecret for Github Authentication?

1 - Encode clientId and clientSecret with base64 format by running:

echo <CLIENT_ID> | base64
echo <CLIENT_SECRET> | base64

2 - Insert clientId and clientSecret base64 values in secret-template.yaml.

apiVersion: v1
kind: Secret
metadata:
  name: github-secret-auth
  namespace: tap-gui
type: Opaque
data:
  clientId: <base64 encoded clientId>
  clientSecret: <base 64 encoded clientSecret>

3 - Create the secret by running:

kubectl apply -f secret-template.yaml

4 - Prepare the overlay file:

#@ load("@ytt:overlay", "overlay")

#! makes an assumption that tap-gui is deployed in the namespace: "tap-gui"

#! this overlay takes advantage of the following feature of node:
#! https://nodejs.org/docs/latest-v14.x/api/cli.html#cli_node_extra_ca_certs_file
#! you should take care to make sure that the edge cases described in that block
#! will not affect you

#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "server", "namespace": "tap-gui"}}), expects="1+"
---
spec:
  template:
    spec:
      containers:
        #@overlay/match by=overlay.subset({"name": "backstage"}),expects="1+"
        #@overlay/match-child-defaults missing_ok=True
        - volumeMounts:
            - name: tap-gui-secrets
              mountPath: /var/tap/github-auth
              readOnly: true
      volumes:
        - name: tap-gui-secrets
          secret:
            secretName: github-secret-auth

5 - Create the overlay secret by running:

kubectl create secret generic overlay-git-auth \
    --namespace tap-install \
    --from-file overlay.yaml

6 - Add the github provider in the tap-gui property and the overlay in the package_overlays property in the tap-values.yaml:

tap_gui:
  app_config:
    auth:
...
      providers:
        github:
          development:
            clientId:
              $file: /var/tap/github-auth/clientId
            clientSecret:
              $file: /var/tap/github-auth/clientSecret

......

package_overlays:
- name: tap-gui
  secrets:
  - name: overlay-git-auth

7 - Update the tap-values:

tanzu package installed update tap -p tap.tanzu.vmware.com -v $TAP-VERSION  --values-file tap-values.yaml -n tap-install