Setting a Vault namespace on Vault agent in Kubernetes

Introduction

When you need to configure the vault agent on a container, and you are utilizing namespaces, you will need to configure it appropriately to ensure the agent can authenticate against Vault as well as know where to get the secrets. This guide is meant to clarify some of the options that you have.

• Setting the environment variable in the container spec.
• Setting the namespaces in the configmap.
• Setting the annotation for the namespace.

Options

Setting the environment variable in the container spec

The easiest method for setting the namespace is setting the proper environment variables in the container spec. This would be a block in the spec declared as such:

env: 
- name: VAULT_ADDR 
  value: https://127.0.0.1:8200 
- name: VAULT_NAMESPACE 
  value: my-namespace

This will enforce the namespace on the container for all operations. 

Setting the namespaces in the configmap.

If setting the environment variable globally is not an option, you can use the config map option. In your configmap you will need to ensure that when declaring the `auto-auth` stanza that you are including the `namespace` option in your `method` block.

auto_auth {
 method "auth_method" {
   namespace = "my-namespace"
   mount_path = "auth/auth_method"
   config = {
    type = "auth_method_type"
    role = "my-role"
   }
 }
}

Setting the annotation for the namespace.

Setting thevault.hashicorp.com/namespaceannotation in your config is another option for retrieving secrets only. It does not provide any namespace information for the authentication, however. This can work in conjunction with the auto-auth namespace variable example above.

Additional Information

• Namespace annotation

• Setting environment variables in your container spec.
• Vault agent auto-auth