I have a .NET CORE 3.1 Web API deployed to a container in Kubernetes - The program spins off connection string using Hashicorp Vault to retrieve rotating database usernames and passwords. That’s pretty much basic implementation almost every one is familiar with - But here is the challenge - when running integration test for the API we do not get access to the vault secrets because when the pod is created the annotations are tied to the API. My question is what should be the best way to get access to the vault secrets while running my integration test ?
This isn’t exactly a Vault question, and it really depends on how your CI/CD is setup for integration testing and what you use.
If you’re using something like Jenkins or similar then you can have an approle (there is a plugin for it) to provide the tests with the token they need to access vault. If’re using Kub-auth in production then running a “Vault agent” will simulate the production environment. [ Sidecar containers in kubs is a vault agent underneath ]