How to unit test with Kubernetes auth?

I’ve implemented hello-vault-go/sample-app at main · hashicorp/hello-vault-go · GitHub except I am using Kubernetes Authentication. Things work when with integration style tests but for unit testing, I’d like some advice. I am using to create a Vault server but I get permission denied errors from Vault when logging in. I suspect this is because when I configure Kubernetes Auth in the test, it’s not pointing to a real cluster.

Is there a framework I can use or a flag I can set in Vault to assist in enabling Kubernetes Auth for testing? Or do I have to mock all of the client calls?

Hi Aye,

Would you mind sharing how are you authenticating your k8s cluster in your Vault server?
In the meantime I am sharing how I am doing at the moment,


# Vault Settings

# Kubernetes settings

setupVault() {

  kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
  name: vault-token-g955r
  namespace: security
  annotations: vault

  VAULT_HELM_SECRET_NAME=$(kubectl -n security get secrets  --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
  TOKEN_REVIEW_JWT=$(kubectl -n security get secret $VAULT_HELM_SECRET_NAME -ojsonpath="{ .data.token }" | base64 -D > k8s_token)
  KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 -D > k8s_ca)
  KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}' > k8s_host)

  kubectl -n security describe secret $VAULT_HELM_SECRET_NAME

  echo Enable kubernetes auth method
  vault auth enable -address $MY_VAULT_ADDR -path=$CLUSTER -namespace="*" kubernetes

  echo Configure kubernetes cluster into vault
  vault write -address $MY_VAULT_ADDR auth/$CLUSTER/config \
     token_reviewer_jwt=@k8s_token \
     kubernetes_host=@k8s_host \
     kubernetes_ca_cert=@k8s_ca \

  echo Create kubernetes application role
  vault write -address $MY_VAULT_ADDR auth/$CLUSTER/role/$CLUSTER-app \
     bound_service_account_names=$CLUSTER-app \
     bound_service_account_namespaces="$NS" \
     policies=$CLUSTER-app \

  echo Reading application role
  vault read -address $MY_VAULT_ADDR auth/$CLUSTER/role/$CLUSTER-app


bash setupVault kubernetes

The script set up the k8s cluster you are authenticated at the moment.
PS: It doesn’t support context for now.

Hope that helps you somehow.

For unit testing, I won’t have a k8s cluster available so I don’t think be able to set this up. I decided to user interfaces and mocks in my Vault client which is working for now. Thank you for your response!