I am trying to use HashiCorp Vault for secret management in kubernetes environment and want to fetch secrets directly from Vault without relying on Kubernetes Secrets.

So far, I have explored two approaches:

Vault Sidecar Injector: Fetches the secret and stores it in a plain text file. The application must manually load the secret into an environment variable.

Vault CSI Driver: Periodically updates the secret but also writes it to a file, rather than directly injecting it into an environment variable.

My goal is to:

Inject secrets as environment variables without storing them in plaintext files.

Ensure secrets are automatically updated when they change in Vault.

Is there a recommended approach or best practice to achieve this?