Vault with csi-provider

I have installed vault as STS with csi driver enabled as I needed to inject the secrets as environment variables and it is working fine.

In the process of testing different scenarios, I deleted the vault-0 pod and after it was up, I noticed 403 error(authentication failed) from the vault api server. I updated the authentication config with the newly generated serviceaccount token and it worked fine afterwards.

vault write auth/kubernetes/config \
     issuer="https://kubernetes.default.svc.cluster.local" \
     token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

So my question is how to automate this? Does kubernetes has a TTL for serviceaccount tokens? Can I set this to longer period? Can I use some static servicetoken for just vault?

If you want Vault to authenticate using the service account from its own pod, you should just leave out the token_reviewer_jwt and kubernetes_ca_cert options entirely, and it will load the values provided by Kubernetes automatically:

You should also remove the deprecated issuer parameter.

Thank you for your answer. I have noticed that the token does not change and have included token from the secrets and wrote to auth/kubernetes/config and it is working now. I don’t know why it was not working earlier.

Anyway huge thanks for your help!!!