The existingSecret means of providing a database password is implemented to inject the password as an environment variable using valueFrom / secretKeyRef.
However, CIS Benchmark generally recommends not passing secrets as env vars:
Prefer using secrets as files over secrets as environment variables
Can providing a secret as a file be supported as an option? Should I create a feature request? If so, where?
Furthermore, Kubernetes Secret Store CSI Driver will mount secrets from external sources as volumes without even creating a secret. This is judged to be even more secure; the fewer Secrets in Kubernetes the better.
In either case, Temporal would be consuming the password from a file instead of from env vars.
Follow-on to How to provide DB credentials to temporal in production? - #3 by joebowbeer