Hi,
I’m integrating Vault Community Edition (HA + TLS + Vault Agent) with our Jenkins/Puppet deployment.
Current flow:
Vault Agent
↓
Fetch secrets from Vault
↓
Render redis.conf / rabbitmq.conf
↓
Start service
This works well, but our security team wants Vault to be the only source of truth and avoid plaintext secrets in runtime configuration files.
My questions are:
- Is rendering configuration files using Vault Agent the recommended production approach for components like Redis and RabbitMQ?
- Is there any supported way to avoid storing plaintext secrets on disk for such components?
- If a service restarts, what is the recommended pattern to fetch secrets again while ensuring high availability?
Looking for HashiCorp-recommended best practices.