Handling MySQL secrets without direct Vault -> MySQL connectivity

I’d like to use Vault’s MySQL plugin for handling database secrets, however allowing Vault to initiate TCP connections to MySQL servers is problematic.

Is there a pattern for running some sort of agent alongside the MySQL agent that handles password rotation with Vault?