Best practice for using Vault Agent with Redis/RabbitMQ without storing secrets in configuration files

Hi,

I’m integrating Vault Community Edition (HA + TLS + Vault Agent) with our Jenkins/Puppet deployment.

Current flow:

Vault Agent
    ↓
Fetch secrets from Vault
    ↓
Render redis.conf / rabbitmq.conf
    ↓
Start service

This works well, but our security team wants Vault to be the only source of truth and avoid plaintext secrets in runtime configuration files.

My questions are:

  1. Is rendering configuration files using Vault Agent the recommended production approach for components like Redis and RabbitMQ?
  2. Is there any supported way to avoid storing plaintext secrets on disk for such components?
  3. If a service restarts, what is the recommended pattern to fetch secrets again while ensuring high availability?

Looking for HashiCorp-recommended best practices.