How to update a Secret from a vault

I am new to Kubernetes and have a question on secret management. Needing some best practice guidance here.

I deploy an application that references a password from the Kubernetes Secret file. The deployment of this application is via GitOps.

I can easily put the secret inside a Secret file as part of the application, but that’s not a good practice, as it’s version-controlled in a Git repository and I don’t want to store secret in a Git. The secret is to be in a vault, such as Azure Key Vault.

The question is, how do I pull the secret from Azure Key Vault as part of the deployment? Is it a good practice to store dummy secret in the Secret file, and then run a script after deployment to pull the password from the vault and update the Secret file in Kuberntes?