Hi!
I have two Vault instances running, one is storing the KV2 secrets, while the other is connected to our Database and handles static/dynamic roles in it.
Is it possible to write a vault-init config that connects to both Vaults and fetches the KV2 secrets from one and different secrets from the other?
Or the best I can do is having a vault-agent-init config that fetches secrets from Vault instance “A” and the other with the sidecar (vault-agent) that fetches secret from instance “B”
Thanks!
I’m going to assume you’re talking to different clusters of Vault … if these are just two instances of the same cluster both functions are available already.
One more definition – Vault-init usually refers to initializing the cluster which you do once at the start of the cluster to create the database.
All that said – if you want to use kube-auth – you can setup multiple kube-auth from the same kub namespace to different clusters, it would require setting and connecting multiple service accounts and the helm chart would need to be modified to accomidate the multiple connections.
If you’re talking to Vault directly then you just need to auth to both clusters and get their own token and talk to each as you need.
Hi!
Thanks for reaching out!
Yes, we have two different Vault clusters (let’s name them “A” and “B”).
We are running application in Kubernetes on GCP (GKE) and using Workload Identity to facilitate authentication to the Vault clusters. We have created gcp auth backends in both Vault instances and have created the gcp_auth_roles.
Essentially I was wondering if I can use the Kubernetes Injector (Agent Sidecar Injector Overview | Vault by HashiCorp) to inject secrets from two different Vault clusters.
Ideally I would only use the vault-agent-init with a ConfigMap configuration and not the sidecar that runs continuously.
No, I don’t believe you can setup an auth from the same init/sidecar to two different clusters. You need to setup two different auths and pods – possibly with two different serviceaccounts (I think something about the auth is stored in the secrets of that account but don’t quote me on that).
Hi!
Thanks for reaching out! This was also what I was afraid of, nonetheless I will look into workarounds then. 
@Tamas_Ne I also want to configure the same.
Are you able to fund out any workaround for the same.
I tried with two different pods and service account in same namespace, but vault agent is fetching secrets only from the first one(the one which configured first)
Hi!
No, I have not found any decent way to achieve this.
BR,
Tamas
Since it sounds like you dont need the vault-agent running alongside as a sidecar you might be able to make use of the vault secrets operator to do this.
It synchronizes vault secrets with k8s secrets which you can reference directly from your application as native kube secrets and does support connections to various vault clusters and different auth methods within the same application.
You could in theory do something like this:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
volumes:
- name: dynamic-secret-volume
secret:
secretName: dynamic-secret
- name: kv-secret-volume
secret:
secretName: kv-secret
containers:
- name: test-container
image: <foo>
volumeMounts:
- name: dynamic-secret-volume
readOnly: true
mountPath: "/etc/dynamic-secret"
- name: kv-secret-volume
readOnly: true
mountPath: "/etc/kv-secret"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vault-kv-secret
spec:
vaultAuthRef: <your-kv-secrets-auth-ref>
type: kv-v2
mount: kvv2
path: <somedata/data>
# dest k8s secret
destination:
name: kv-secret
create: true
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: vault-dynamic-secret
spec:
vaultAuthRef: <your-dynamic-secrets-auth-ref>
mount: gcp
path: roleset/foo
# dest k8s secret
destination:
name: dynamic-secret
create: true
… And then setup 1 VaultAuthMethod + VaultConnection for your connections to each vault cluster.