Best way to integrate Vault Secrets Operator from multiple Kubernetes clusters with an external Vault #1143
Description
Hi everyone,
I have a setup where Vault runs in its own dedicated cluster, and there are about 10 other Kubernetes clusters, each running VSO.
I’m trying to figure out the best way to handle authentication and TokenReview between these clusters.
From what I understand, there are a few options — but all of them have caveats in a multi-cluster setup:
-
Use local token as reviewer JWT – not possible, since Vault and VSO are in different clusters.
-
Use client JWT as reviewer JWT – not ideal, because it requires creating many additional auth-delegator roles for each VaultAuth resource (we have hundreds).
-
Use a long-lived token as reviewer JWT – seems like the only viable option?
Is there a way to configure VSO (via your VSO Helm) so that it generates or uses a persistent long-lived token from the default service account, which could be reused across clusters? -
Use JWT auth instead? – would this be a better fit for external Vault setups?
We don’t plan to have shared VaultAuth per cluster — permissions are granted very specifically on a per-resource basis.