I'm new to Hashicorp Vault. I am wondering if there is a way to take advantage of the SPIFFE protocol to automatically authenticate with Vault, so based on a vault client's mTLS certificate, a workload in Kubernetes/Istio can access Vault as a specific user (entity?) or group. The requesting k8s workload would only have access to Vault secrets based on its SPIFFE identity's Vault permissions.
I'm hoping that no Vault credentials (tokens, passwords, etc) would need to be passed and that access would be granted purely on the mTLS connection and the SPIFFE protocol. Is something like this possible? What are the options if Vault lives outside of the Kubernetes cluster (and therefore can't have an Istio sidecar)?
If what I'm asking is not possible, a less ideal solution would be to update the application code to somehow authenticate with Vault based on the pod's k8s Service Account. What are the options that Vault provides to do this type of thing? Are there any good resources regarding this?
I appreciate any advice you have to offer.
I have no knowledge about using SPIFFE for Vault authentcation, but I agree that it could be interesting (I'm not sure whether https://www.vaultproject.io/docs/auth/cert could help, but I never tried that).
As far as I know, the general way of integrating Kubernetes with Hashicorp Vault is described in https://www.vaultproject.io/docs/auth/kubernetes . It does not really matter where Vault is deployed: it can be inside the same Kubernetes cluster, in the same service mesh, or it can be a completely unrelated entity (e.g., a dedicated instance deployed on some random VM).
You basically define roles and policies on Vault, which are mapped to specific kubernetes service accounts and namespaces, and then the Kubernetes pod will be able to authenticate with the JWT that is associated to its service account.
Once Vault is setup and you can authenticate with Kubernetes pods, you can have any wrapper around it. People are trying to do this in different ways, but one possibility would be https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar . Personally, I'm using https://github.com/postfinance/vault-kubernetes because it fits my needs quite well.
The important part is setting up Vault to support Kubernetes properly: make sure to double check that first, before getting into any of these Kubernetes packages that try to fetch secrets.