We have back-end application running in K8s pod providing REST API to other services in K8s. As part of its functionality it needs to create and read KV secrets to/from Vault.
I was wondering what is the best practice to achieve this. After reading the docs I think the vault agent sidecar is a great choice to keep the Vault authentication and Vault token renewal process outside the application concern. However, I have not found the information how the application itself can facilitate the vault agent side car to communicate with vault to create/read secrets.
The docs describe that vault agent container stores the vault token into the file (if sink is configured so), however I have neither found if the application running in other container in the same pod can access this file to use it for Vault API calls nor if this is actually good practice.
Any hints about how to achieve the scenario described above is highly appreciated.