Hello.
I want to use Vault approle in Kubernetes (go applications, deploy via Helm). As I understand it, with role_id I need to:
- create a role in Vault (and a policy for it)
- get the role_id and write it in some Gitlab CI variable (app get it from this env during deployment)
But how get secret_id in Kubernetes correctly? Theoretically I need to:
- ask the secret_id from the Vault during the deployment => I have a wrapped token as response
- decrypt (via vault unwrap) => now I have secret_id
- use role_id (from the Gitlab variable) and secret_id => and now I have a token for vault (I’ll read Vault secrets with it later)
But how to do it correctly and safely in practice? Please share your experience.
I will explain my question.
I need to get the secret_id using Vault Agent injector. Then take the role_id from the variables and use them to get a token. Put it in memory (so that the cluster administrator cannot view it).
Are there any practical examples of similar integration of approle with Vault injector in Kubernetes?
Hey @aasgeier, were you ever able to figure this out? From all the documentation I’ve read it seems that the examples only show how to have the init container inject secrets directly into the application container by authenticating with AppRole, but there’s not clear way to have that same init container get a wrapped secret_id for the application container to then authenticate itself
Any thoughts or help?
There seems to be a large disconnect in the docs and the examples?