Is it possible to have vault-csi-provider on separate cluster to vault server?

I have a working prototype with vault, csi and vault-csi-driver mounting secrets in pods in a single cluster.

I’m now trying to separate the vault server to a separate cluster

  • vault cluster
    • vault server
  • workload cluster
    • vault-csi-provider
    • csi-secrets-store-csi-driver

I get 403 errors, e.g. in logs of vault-csi-provider

SecretProviderClass looks like

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  annotations:
  creationTimestamp: "2024-09-11T16:52:37Z"
  generation: 1
  name: csiapp-database
  namespace: default
  resourceVersion: "196860"
  uid: 9349cafd-0506-4d5c-8930-1f4a594ab11f
spec:
  parameters:
    objects: |
      - objectName: "db-password"
        secretPath: "secret/data/db-pass"
        secretKey: "password"
      - objectName: "db-whoopsi"
        secretPath: "secret/data/db-pass"
        secretKey: "whoopsi"
      - objectName: "db-time"
        secretPath: "secret/data/db-pass"
        secretKey: "time"
    roleName: csiapp
    vaultAddress: http://k8s.ingress/vault
  provider: vault

The role

vault write auth/kubernetes/role/csiapp \
    bound_service_account_names=csiapp-sa \
    bound_service_account_namespaces=default \
    policies=csiapp \
    ttl=20m

I guess that kubernetes auth is incompatible in this cross-cluster scenario?

you need to configure a new k8s auth method that points to the workload k8s cluster.

OK thanks. So I should follow this guide - Kubernetes - Auth Methods | Vault | HashiCorp Developer - to configure a kubernetes authentication method in the vault server pointing to the workload cluster.

I guess it means that if you had multiple workload clusters sharing one vault server, you would need to configure the vault server with an auth method for each workload cluster?

yes, as each cluster api credential would be different.