Best practices for consuming Vault secrets from a Kubernetes app

I’m developing a small daemon application -it will run in Kubernetes- and I want it to be able to get all the secrets it needs to run from a Vault server (which will be running in another namespace), instead of mounting secrets in the filesystem or using env variables.

My idea is that the application would use a dedicated Kubernetes service account for accessing Vault, with the Kubernetes authentication method enabled.

The way my application gets the JWT for the service account would be reading from /var/… in the container (A token is generated by Kubernetes automatically for the service account running the pod and put in a well known location).

My question is: is this a good enough approach? Is there a better way from a security point of view? Should I make the daemon read a file from the container filesystem and then inject the secrets via vault agent instead to a file?

Thanks in advance for the feedback.