I run the official vaultwarden/server:latest-alpine container, albeit quite customized. On top of the container I have my ENV variables, such as
---
# The following ENVs manage the app; yeah, it's a lot in a Dockerfile, but I'd rather have them here
# Than manage yet another file (.env)
ENV I_REALLY_WANT_VOLATILE_STORAGE=${volatile_storage}
ENV DATA_FOLDER=/data
ENV DATABASE_URL=*****
ENV ENABLE_WEBSOCKET=true
ENV PUSH_ENABLED=true
ENV PUSH_INSTALLATION_ID=****
ENV PUSH_INSTALLATION_KEY=****
---
For obvious reasons, having sensitive info in a Dockerfile ENV variable, or in an .env file, is suboptimal.
As I run an Hashicorp Vault container on the same network, I thought of pushing all of the Dockerfile secrets into HCP Vault, have a Vault client installed into my customized VW image, and from the image, inject all of what used to be ENV variables from Hashicorp Vault using its Vault client.
When and where should I do that ? Is that even allowed ?
If that helps, currently the Dockerfile ENTRYPOINT is:
ENTRYPOINT [ "/start.sh"]
Which basically amounts to exec /vaultwarden "${@}"
And NO, doing a “docker run” with multiple -e params is not an option for me, before anyone suggests it 
the whole idea here is to make the container… well, self-contained