VaultAgent TLS auth for on-premise deployment


I’m fairly newbie to vault and gathering information about Vault Agent for our on-premise deployment, particularly interested in Auto-Auth Cert method.

On googling, some of the security concerns were related to exposing private key of the client certificate. Wouldn’t specifying this information in the Vault Agent configurational a risk ? If so, please let me know what is the best practice to follow if we wish to do TLS authentication via Vault Agent for on-premises deployment.

Appreciate the help !!