Use secret manager instead of mysql environment variables

We have configured temporal in GKE with workload identity enabled we are using cloudsql proxy mysql.

In order connect to database temporal needs mysql DB name, MYSQL_USERNAME, MYSQL_PASSWORD. We don’t want to keep environment variables directly read secret from manager.

Is there any way to ise temporal cluster without DB environment variables?

What is the best best practice to work temporal along with Google secret manager?

Are you deploying via helm chart? If so you should be able to set up your secrets and then reference them via existingSecret in config.