I have a question regarding HashiCorp Vault. I recently installed HashiCorp Vault in Kubernetes and integrated it into a Kubernetes deployment. The secrets appear in the /vault/secrets/ directory. I'm unsure if this is the intended behavior or if I am doing something wrong. If someone gains access to the pod, they can easily read the file with secrets. This raises the question of why HashiCorp Vault is needed if I'm simply importing a file with secrets into the pod, which can be read.
Could you please advise if I am doing something wrong or if there are any best practices for security to ensure that secrets are not visible and cannot be read by my Java application?
I've read that it's possible to implement secrets from HashiCorp Vault as environment variables in a Kubernetes deployment, but I'm wondering if this is secure.
Alternatively, should I perform integration with HashiCorp Vault directly in my Java application and input the secrets directly into the application?
I would appreciate your advice and any useful references. If you could also provide examples that you use in production, I would be grateful.