try vault postgres secret engine

chart/templates/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     {{- include "webapp.labels" . | nindent 4 }}
 spec:
+  revisionHistoryLimit: 3
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}

chart/templates/vaultauth.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
-  name: static-auth
+  name: auth
   namespace: {{ .Release.Namespace }}
 spec:
   method: kubernetes

chart/templates/vaultdynamicsecret.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: vso-db
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/webapp
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: vso-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: {{ include "webapp.fullname" . }}
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: auth

chart/templates/vaultsecret.yaml

@@ -21,4 +21,4 @@ spec:
   refreshAfter: 30s
 
   # Name of the CRD to authenticate to Vault
-  vaultAuthRef: static-auth
+  vaultAuthRef: auth