Using env vars in internal_users.yaml

To make it easier to maintain/change passwords for the internally defined users, I’d like to use Kubernetes secrets and surface them to my Elasticsearch pods via env variables. To avoid having to update the internal_users.yaml file each time they change, I’d like to refer to the env vars in that file…and have them pick up the latest values for those env vars. Is that possible? I know we will still have to run the security admin script after a change but I’d like to avoid editing the file.

I see that this is possible with the Search Guard (based on their doc). And I know they contributed to the ODFE Security plug-in, so I’m wondering if that feature made it into the plug-in. If so, can we also have the correct hash generated by referring to it using the syntax shown on that page (i.e. ${envbc.<variable name>})? That would make things much easier.

Thanks for any clarification on whether this is possible or better alternatives.