Securely provide password to postgres-backend (helm config)

I am currently running HashiCorp Vault on AWS EKS, deployed via the official Helm chart. Vault is configured to use AWS RDS (PostgreSQL) as the storage backend. The integration is working correctly and Vault is functioning as expected.

However, I have concerns,

Currently, the PostgreSQL connection details (especially the password) are defined in plain text within the Helm values file. This raises security concerns, and I would prefer to handle sensitive credentials in a more secure way, I tried few methods using kubernetes-secrets but that did not worked with helm config file. Is there any suggest way around it ?

I am using below settings in my config:

            storage "postgresql" {
              connection_url="postgres://postgres:******@********.us-east-1.rds.amazonaws.com:5432/vaultdb"
              table="vault_kv_store",
              ha_enabled=true,
              ha_table="vault_ha_locks"
            }

I think you should be able to add your credentials to a Kubernetes secret, and reference those in the Helm chart.

Something like..

spec:
  template:
    spec:
      containers:
        - name: app
          env:
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: db-creds
                  key: password

There is also this Helm plugin, but I have never used it so please perform due diligence on this plugin and ensure it complies with your companies security policies:

If you maintain multiple clusters, you can also reference secrets from Vault (e.g. you have a management cluster, and separate cluster(s) for different environments.