Getting Vault secret_id for approle in Kubernetes


I want to use Vault approle in Kubernetes (go applications, deploy via Helm). As I understand it, with role_id I need to:

  1. create a role in Vault (and a policy for it)
  2. get the role_id and write it in some Gitlab CI variable (app get it from this env during deployment)

But how get secret_id in Kubernetes correctly? Theoretically I need to:

  1. ask the secret_id from the Vault during the deployment => I have a wrapped token as response
  2. decrypt (via vault unwrap) => now I have secret_id
  3. use role_id (from the Gitlab variable) and secret_id => and now I have a token for vault (I’ll read Vault secrets with it later)

But how to do it correctly and safely in practice? Please share your experience.

I will explain my question.

I need to get the secret_id using Vault Agent injector. Then take the role_id from the variables and use them to get a token. Put it in memory (so that the cluster administrator cannot view it).

Are there any practical examples of similar integration of approle with Vault injector in Kubernetes?