How to solve for secret zero for Vault Secrets Operator AppRole authentication

According to the Vault Secret Operator AppRole spec, it is expected to reference a Kubernetes Secret containing the Secret ID. Could someone provide recommendations on securely delivering this secret? I’ve read about secret_id wrapping and the importance of a trusted orchestrator/entity, but I haven’t found a concrete example.

My unverified approach is:

  1. The CI runner/agent fetches the wrapped secret_id.
  2. The CI runner spawns a broker Pod and injects the wrapped secret_id as a Kubernetes Secret.
  3. The broker Pod runs a Vault agent injector to read the wrapped secret_id from the injected Kubernetes Secret, unwrap it, and store the unwrapped secret_id in a new Kubernetes Secret for the Vault operator to reference.

Does this approach seem viable? Is there more native and supported way to do this? Looking for recommendations and best practices to handle this use case.

I’m aware that K8s auth is the recommended approach but it is currently not something we are supporting yet.


You can also consider JWT auth method instead of K8s auth.

Yes, aware of it and the most likely way we’ll set it up.