We use vault-agent sidecars to access secrets from pods (kubernetes).
More specifically I have a node.js application that needs to be able to read and write secrets. Auth is done using kubernetes auth and a service account for the pod. This works perfectly for reading/mounting secrets using annotations.
How would I go about writing secrets. Can I somehow use the sidecar for this? Or would I simply post/patch/update directly to the vault api? If so, do I just use the service account token for auth?
If you are already running a Vault agent, with listener and cache blocks in its configuration, then yes, the listener can proxy writes for you in the same way it does reads.
I’m trying to sort out the same sort of thing; I have Vault running in my K8s cluster and I’m using the vault-agent-injector and that’s working great for my pods to pull secrets from Vault.
I can’t seem to figure out how to enable pods to write or update secrets back IN to Vault though? I’ve currently just hacked together my own service using the vault sdk but it seems like there are better more standard ways to solve this?
I have been looking at vault-agent but can’t seem to find an example of how to actually use this to create/update secrets in Vault from a pod… any pointers?