Super user password explicit in patroni yml

As part of the security standardization we are working on postgres super user DB password rotation POC.

In that POC we have successfully rotated the password with the help of password management tool.

We have noticed  in patroni yml file for authentication we are explicitly using super user name and credentials same for replicator user as well.

Is there any option we can pass this password instead of direct mentioning or using .pgpass file.

Our intention here is we should not expose superuser password anywhere at server level.

If we change the super user password at DB level should we update the same in patroni yml every time ? If we not update that password in patroni yml file is that impact anything of replication , API calls , primary and replica connectivity?

And also pls share the best way to rotate the DB user password in postgres.

 

Your valuable suggestion is highly appreciated.

Regards,

SK.