Does the Kuberntes vault-agent-injector support fetching secrets from multiple Vault instances?

Hi!

I have two Vault instances running, one is storing the KV2 secrets, while the other is connected to our Database and handles static/dynamic roles in it.

Is it possible to write a vault-init config that connects to both Vaults and fetches the KV2 secrets from one and different secrets from the other?

Or the best I can do is having a vault-agent-init config that fetches secrets from Vault instance “A” and the other with the sidecar (vault-agent) that fetches secret from instance “B”

Thanks!

I’m going to assume you’re talking to different clusters of Vault … if these are just two instances of the same cluster both functions are available already.

One more definition – Vault-init usually refers to initializing the cluster which you do once at the start of the cluster to create the database.

All that said – if you want to use kube-auth – you can setup multiple kube-auth from the same kub namespace to different clusters, it would require setting and connecting multiple service accounts and the helm chart would need to be modified to accomidate the multiple connections.

If you’re talking to Vault directly then you just need to auth to both clusters and get their own token and talk to each as you need.

Hi!

Thanks for reaching out!

Yes, we have two different Vault clusters (let’s name them “A” and “B”).

We are running application in Kubernetes on GCP (GKE) and using Workload Identity to facilitate authentication to the Vault clusters. We have created gcp auth backends in both Vault instances and have created the gcp_auth_roles.

Essentially I was wondering if I can use the Kubernetes Injector (Agent Sidecar Injector Overview | Vault by HashiCorp) to inject secrets from two different Vault clusters.
Ideally I would only use the vault-agent-init with a ConfigMap configuration and not the sidecar that runs continuously.

No, I don’t believe you can setup an auth from the same init/sidecar to two different clusters. You need to setup two different auths and pods – possibly with two different serviceaccounts (I think something about the auth is stored in the secrets of that account but don’t quote me on that).

Hi!

Thanks for reaching out! This was also what I was afraid of, nonetheless I will look into workarounds then. :slightly_smiling_face: