Managing secrets of services in Kubernetes from External Vault

I have an external Vault deployed on VM. I am able to manage secrets of services that are accessible by Vault. I have also gone through this.

The section talks about integrating an injector pod that talks to vault and injects secrets. But, what do we do when we need to manage say the rabbitmq creds while rabbitmq is running in Kubernetes? I can obviously expose RabbitMQ over an LB or NodePort and then let vault manage the secrets, but I would like to avoid exposing it if there is a way.

I know, this is not specifically an issue with Vault, but is there a tool/technology that allows me to enable communication to the RabbitMQ running in K8S without actually exposing it globally over the network?

Can Consul solve this problem in any capacity? Or do I have to run Vault in K8S?

There are many solutions to allowing access to internal Kubernetes APIs from outside, such as using a service mesh that you can add the VM into.