Shared JWT store using Kubernetes Vault Injector across multiple namespaces


In order to avoid an XY problem, I’d love to hear recommendations on how to achieve my desired result by presenting my current state and my (general) desired state, with a (maybe) potential solution using the Agent Sidecar Injector.

Nowadays, I use Vault in the following way:

I have a K8s cluster (EKS) with multiple namespaces, one for each tenant.

Each namespace contains multiple Deployments, and one my-auth secret which provides clientId and clientSecret (Auth0 M2M app).

Each one of these Deployments uses the my-auth secret to generate (fetch) a JWT (from Auth0), which is then used to authenticate to Vault.

Deployments’ apps then read the tenant-specific tokens needed to run.

Roles are applied by mapping the JWT scope to each tenant. Policies then use these Roles to give apps in each of the namespaces access only to their tenant’s path within Vault, e.g. kv/data/tenantA/secret, kv/data/tenantB/secret, etc.

I would like to make use of the Agent Sidecar Injector

I would like all of the Deployments for a given namespace (tenant) to re-use the same Auth0 JWT until it expires, in order to avoid generating a new token for each app run. It’s a bit of a chicken and egg problem, since I need to generate a token in order to access Vault in the first place.

One way I thought of implementing a solution to this is using the Agent Sidecar Injector, using Kubernetes Authentication, but I’m not sure if it offers a viable solution in this case, and how to implement it correctly if it does.

Here is what I thought:

If, using the injector, Pods can access a Vault path when running, I’d be able to tell my app to look for the file /vault/secrets/existing-jwt and use its contents (JWT), instead of generating a new token. If the JWT has indeed expired, the app can then generate a new JWT and write it to the same file, so that other Pods in the same namespace can use it.

The /vault/secrets/existing-jwt file would be mapped from each tenant’s respective Vault path (e.g. kv/data/tenantA/existingJWT) using the sidecar.

I hope my descriptions are clear, I’d love any feedback, recommendations, solutions, guidance, or anything else that may help.

Thank you!