Using TLS-enabled Vault, I need to pass on the certificate authority to use to the agent injector so that the init-container / sidecar knows how to validate the Vault TLS certificate at runtime.
I can successfully do this by annotating the pods with
vault.hashicorp.com/ca-cert, but this proves painful in the long run.
Since the CA cert file is always set to the same path in pods (using Kube own PKI here), is there a way to define this globally?
Am using the helm chart, but could not find any obvious way to do this.
The flags defined in vault-k8s/flags.go at main · hashicorp/vault-k8s · GitHub hints that there is no such capability.
Has anyone any idea if this is possible, or if I should raise an issue for improvement against the codebase?
Thanks in advance