ekwisnek
commented
2 years ago I created the AppRole auth method and added the credentials as Kubernetes secrets in the ctrlplane-dev namespace on the dev cluster. I can provide them via other means if necessary. I don't know how Spring Cloud Vault wants them.
EDIT: I looked it up, and I can create a secret like this if you want:
spring.cloud.vault:
authentication: APPROLE
app-role:
role-id: <role-id>
secret-id: <secret-id>
role: copilot
app-role-path: approle
Add Hashicorp Vault KMS interaction support for fetching secrets.
I don't think we should integrate any authorization decisions at this point. Assume that all pilot instances are authorized to have all keys just to implement that end-to-end exchange.