Injecting secrets into a pod remotely

Hi there! I need some guidance on using Vault to inject secret into pods. I followed the blog post on this matter, but I’m not sure that it satisfies my use case. In any event, we are only beginning our journey on using vault across several workloads so I think a few basic concepts are not yet instilled in my mind.

Our setup is that of an EKS cluster with several namespaces - one namespace per application. Vault has its own namespace and is deployed in the same cluster as the other applications.

I understand that I should be able to request secrets in pods of applications using annotations, but I am uncertain as to how to specify where the vault endpoint is.

Can someone please help me with some guidance on getting started?


Vault is running in an EKS cluster using namespaces? Or Vault is running elsewhere/non-EKS/containered?
When you say namespace, you mean Vault namespace or AWS namespace?

Is this what you followed?

Might take a look here, too -

Hi Mike, thanks for replying

yes, we have an EKS cluster, with namespaces, and one of those namespaces is vault.
I need applications in the other kubernetes namespaces on that same cluster to get their secrets injected by the vault running on the same cluster (but different namespace).

I mean the AWS namespace – ie the kubernetes namespace in the EKS cluster.

I subsequently followed that, yes - which seems to provide the solution to my problem by using annotations. I haven’t checked yet.

The main confusion I have I think is that I’m not sure how to tell the applications where to get their secrets from. Adding the annotations to the manifest I can understand – and if I understand correctly, the secret injection is done via the k8s control plane?

Thanks again for your time