Hi, is there any way to manually authenticate against vault from a Kubernetes pods with service account without using the vault webhook ?
My use case is the following: I need to be able to load a lot (like 300) of K/V from a vault path (which service account as permission to access) and it does not seem feasible with webook annotation (loading every secret inside a path). So my guess is that I need to do it some other way.
Indeed, as you have guessed, it would be better to just authenticate to the Vault API from your program code.
This is easy to do - you just read your service account token from the path on disk where Kubernetes provides it to you: /var/run/secrets/kubenetes.io/serviceaccount/token - and send it to the login API: Kubernetes - Auth Methods - HTTP API | Vault by HashiCorp
Then just send the returned client_token with each request.