I want to use Vault approle in Kubernetes (go applications, deploy via Helm). As I understand it, with role_id I need to:
- create a role in Vault (and a policy for it)
- get the role_id and write it in some Gitlab CI variable (app get it from this env during deployment)
But how get secret_id in Kubernetes correctly?
Theoretically I need to:
- ask the secret_id from the Vault during the deployment => I have a wrapped token as response
- decrypt (via vault unwrap) => now I have secret_id
- use role_id (from the Gitlab variable) and secret_id => and now I have a token for vault (I'll read Vault secrets with it later)
But how to do it correctly and safely in practice? Please share your experience.