I have been using the Vault Secrets Operator and encountered the following situation.
I deployed a VaultConnection CRD in my “vault” namespace, which specifies how to connect to Vault over HTTPS using the caCertSecretRef.
I also have an application running in another namespace called “test.” I created a VaultAuth CRD in the “test” namespace, which specifies the application’s service account and the appropriate role in Vault for Kubernetes authentication.
The problem I am facing is that I cannot reference my VaultConnection CRD in the VaultAuth CRD’s vaultConnectionRef, since the VaultConnection CRD’s scope is namespaced. The issue is resolved when I deploy the VaultConnection CRD into my “test” namespace, but then I need to copy over the caCertSecret to connect to Vault over HTTPS.
Am I missing something fundamental about how the VaultConnection and VaultAuth CRDs are supposed to be used? My initial impression was that I would only need one VaultConnection CRD in the Vault namespace (or configure the default VaultConnection CRD) and that I would be able to reference it in all my application-specific VaultAuth CRDs in other namespaces. However, I cannot do this since the VaultConnection CRD is namespaced.
I would appreciate any input and help. I’m really looking forward to using this more!