Anyone using Vault integration at any scale?

I’ve been trying to get the Vault integration working, and am finding it frustrating.

In particular, since NodeAgent is passing the ServiceAccount token of the workload (rather than itself), I need to reconfigure the Vault backend role to whitelist each ServiceAccount or Namespace that I want to support.

I’m wondering if there are other people/orgs that have successfully got this integration working. It doesn’t necessarily have to be in production, but in an environment with more than a few services running in the mesh.If so, how have you been managing Vault configuration?

Thanks in advance,
Jon

We heard some customers build some syncer by themselves to solve this problem and integration pain.

Add @leitang @Oliver who can have a detailed answer.

There are orgs that prefer using workload k8s service accounts for certificate issuance. They build a syncer that monitors the k8s service accounts and configures their Vault authentication and authorization policies based on the k8s service accounts.

We are in the process of prototyping the integration and have thought about the configuration problem you reference. I like the idea of separate syncer component, but we were also considering:

1. Relaxing the wildcard constraint in vault kubernetes login role configuration so that “*” can be provided for both namespace and service account. (https://github.com/hashicorp/vault-plugin-auth-kubernetes/issues/47)

2. A template role to enforce the SPIFFE URI SANs in a CSR match the login token namespace and service account (https://github.com/hashicorp/vault/pull/6558).