Due to the setup we have I cannot install vault in a cluster, it has to be in the same namespace as the other containers of the application I am trying to install.
To do so I amended the supplied Helm charts ClusterRoles and ClusterRoleBindings to Roles and RoleBindings.
On trying to install the Helm chart it is failing for the injector-role.yaml with “roles.rbac.authorization.k8s.io “vault-agent-injector-role” is forbidden: user (groups=[”"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[“admissionregistration.k8s.io”], Resources:[“mutatingwebhookconfigurations”], Verbs:[“get” “list” “watch” “patch”]}
I have renamed the original injector-role to injector-leader-role.yaml
I have added the namespace to both the role and rolebinding yaml files under metadata:
Just my 2 cents here but this is not a good idea. If you put Vault in a general namespace you’re basically giving access to your database to everyone who has access.
Best practice says you should install Vault in its own cluster for security, and most people at least divide it out by namespace – putting it in a general area is just asking for trouble.
Last point is that if you setup the injector and authenticate it – then everyone has access to the actual cleartext secrets. At this point there you’re running vault as an open storage – you’d better off just storing the secrets in a text file.