It is now possible to specify a vaultRole property for the VaultSecret CR, which defines the Vault Role which should be used to retrieve a secret from Vault.
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: kvv1-example-vaultsecret
spec:
vaultRole: my-custom-vault-role
path: kvv1/example-vaultsecret
type: OpaqueWe are creating a shared client for requests against the Vault API, when the VAULT_KUBERNETES_ROLE (vault.kubernetesRole) environment variable is set. This shared client is used to get the secrets from Vault.
When the vaultRole property for a secret is set, we will ignore the shared client and instead we create a new client to get the secret from Vault.
For that the operator will now also start when the VAULT_KUBERNETES_ROLE environment variable isn't set when the Kubernetes auth method is used. We only log a warning that no shared client was created. This means that each secret must have set the vaultRole property.