Hi everyone, hope you’re doing well!
I have a few questions about using Vault Secrets Operator (VSO).
For my use case it looks ideal, since it can fetch secrets at the exact moment they are rotated.
Currently I use ESO (External Secrets Operator) with GCP Secret Manager, and there we run it in a cluster-wide setup: we configure a single SecretStore, and in each application we simply reference that secretStoreRef regardless of the namespace.
From what I found in this comment, it seems that with VSO I would need to create a VaultAuth per namespace.
Is there really no way to have a cluster-wide configuration similar to what ESO provides?
I installed VSO using the Helm chart and my configuration looks roughly like this:
defaultVaultConnection:
enabled: true
address: "http://hashicorp-vault.hashicorp-vault.svc.cluster.local:8200"
skipTLSVerify: true
defaultAuthMethod:
enabled: true
allowedNamespaces: ['*']
method: gcp
mount: gcp
gcp:
role: vault-secrets-operator
workloadIdentityServiceAccount: vault-secrets-operator
However, when I create a Secret pointing to the VaultAuth, it fails to find it because it lives in another namespace.
Is there any workaround for this?
Thanks in advance for any guidance!
on it- this topic is for