Two auth backends of the same type

[TomaszKlosinski]

Hi, I'd like to allow my webhook running in a second cluster to access my vault server in the first cluster. For that I need two auth backends:

    auth:
      - type: kubernetes
        config:
          token_reviewer_jwt: <token-for-cluster1-service-account>
          kubernetes_ca_cert: |
            -----BEGIN CERTIFICATE-----
            <certificate-from-certificate-authority-data-on-cluster1>
            -----END CERTIFICATE-----            
          kubernetes_host: <cluster.server-field-on-cluster1>
        roles:
          # Allow every pod in the default namespace to use the secret kv store
          - name: default-old-cluster
            bound_service_account_names: ["default", "vault-secrets-webhook"]
            bound_service_account_namespaces: ["default", "vswh"]
            policies: allow_secrets
            ttl: 1h 
      - type: kubernetes
        config:
          token_reviewer_jwt: <token-for-cluster2-service-account>
          kubernetes_ca_cert: |
            -----BEGIN CERTIFICATE-----
            <certificate-from-certificate-authority-data-on-cluster2>
            -----END CERTIFICATE-----            
          kubernetes_host: <cluster.server-field-on-cluster2>
        roles:
          # Allow every pod in the default namespace to use the secret kv store
          - name: default-new-cluster
            bound_service_account_names: ["default", "vault-secrets-webhook"]
            bound_service_account_namespaces: ["default", "vswh"]
            policies: allow_secrets
            ttl: 1h 

But when I do that, the webhook injection stops working on the first (old) cluster. Is it possible to solve this? Or does webhook support another auth method that I could use instead (like AppRole for example)?

Thanks for any help.

[akijakya]

Hi @TomaszKlosinski, thanks for using Bank-Vaults!

1. What happens if you provide different path for the two kubernetes auth methods, like so:

   auth:
         - type: kubernetes
           path: kubernetes1
           config: ...
         - type: kubernetes
           path: kubernetes2
           config: ...

   ...and refer to those in your workloads vault.security.banzaicloud.io/vault-path annotation?

2. The webhook supports all kinds of auth methods, not just kubernetes!

[TomaszKlosinski]

Hi, thank you for the response. How do I pass role-id and secret-id of the approle to make webhook authenticate using vault token?

[TomaszKlosinski]

PS. Defining path solved the problem for me. Thanks for help.