The pods would have to either read directly from Vault, or a k8s controller which has vault access. In big brain fashion, one could also hard fail on a db auth failure so new pods - with the new secrets - can be spun up.