We are storing our secrets in Vault cluster which is not in Kubernetes cluster but VMs.In deployments there is annotated init container and Vault configuration is added to a ConfigMap which is consumed by deployment.Now we have a Vault cluster setup and we are looking for a option to add for vault init container to get the Vault leader node from Vault cluster and get secrets from it. I saw some options of Vault is deployed in K8s but not for external setup like ours. Any help will be appreciated!
We do not find any best practise to always hit LEADER node in Vault cluster.
Vault v1.10.4
This is a exmaple for the configmap which we are using:
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-cm-test-123
namespace: mynamespace
data:
config-init.hcl: |
auto_auth = {
method = {
config = {
role = "auth-role"
}
type = "kubernetes"
mount_path = "auth/secrets123"
}
sink = {
config = {
path = "/home/vault/.token"
}
type = "file"
}
}
exit_after_auth = true
pid_file = "/home/vault/.pid"
template = {
contents = <<EOH
{{- with secret "test/test123" -}}
{{- \datasource.abc.username\}}: {{ .Data.data.postgres_username }}{{ printf "\n" }}
{{- end }}
EOH
destination = "/vault/secrets/test123.yaml"
}
vault = {
address = "` [ `https://1.1.1.1:8200` ](https://1.1.1.1:8200/) `"
tls_skip_verify = "true"
}