Vault configuration best practice

Hi Friends,
I am about using libvault to read DATABASE_URL and other secrets.
I m going to use Vault.Auth.Kubernetes
I am not sure I am following mix release guide and ConfigProvider
Should I define a module VaultConfigProvider with codes like

def init(vault_config) when is_list(vault_config) do
    vault_config
  end

  def load(config, vault_config) do
    # We need to start any app we may depend on.
    {:ok, _} = Application.ensure_all_started(:jason)

    {:ok, vault} =
      Vault.new(
        engine: Vault.Engine.KVV2,
        auth: Vault.Auth.Kubernetes,
        http: Vault.HTTP.Tesla,
        host: host
      )
      |> Vault.auth(%{role: role, jwt: jwt})

{:ok,
 %{
   "SECRET_KEY_BASE" => "..",
   "DATABASE_URL" => "ecto://dbhost:5432/.."
 } = json} = Vault.read(vault, "myapp/env")

Config.Reader.merge(
      config,
      my_app: [
        some_value: json["DATABASE_URL"],
        another_value: json["DATABASE_URL"],
      ]
    )

and then remove all lines that get system env from releases.exs?
Is there the easiest way to get the vault secrets?

Where is the best place to define vault_config_provider.ex?