Hi everyone. I've been trying to set up a few persistent agents that need to talk to different databases (Postgres and Redis mainly). I'm a bit stuck on the "right" way to give them the passwords.
I've read the docs on secret injection, and I see there are a few options: environment variables, mounting a secrets file from the host, or using something like Vault. But I'm not sure which is best for an agent that's going to be running for a long time.
My main worry is that if I use environment variables, won't the password be visible in the process list or in the agent's own environment dump? That seems unsafe. But mounting a file feels a bit more complicated to manage, especially when I need to update the secret.
Could someone explain the practical pros and cons for a persistent agent scenario? Like, which pattern do you actually use in production for something like a database connection? I want to make sure I'm not starting with a bad habit.
Sorry if this is a basic question 😅 I'm still learning all this infrastructure stuff.