Istio and Hashicorp Vault: using SPIFFE to authenticate with Vault

I have no knowledge about using SPIFFE for Vault authentcation, but I agree that it could be interesting (I'm not sure whether https://www.vaultproject.io/docs/auth/cert could help, but I never tried that).

As far as I know, the general way of integrating Kubernetes with Hashicorp Vault is described in https://www.vaultproject.io/docs/auth/kubernetes . It does not really matter where Vault is deployed: it can be inside the same Kubernetes cluster, in the same service mesh, or it can be a completely unrelated entity (e.g., a dedicated instance deployed on some random VM).

You basically define roles and policies on Vault, which are mapped to specific kubernetes service accounts and namespaces, and then the Kubernetes pod will be able to authenticate with the JWT that is associated to its service account.

Once Vault is setup and you can authenticate with Kubernetes pods, you can have any wrapper around it. People are trying to do this in different ways, but one possibility would be https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar . Personally, I'm using https://github.com/postfinance/vault-kubernetes because it fits my needs quite well.

The important part is setting up Vault to support Kubernetes properly: make sure to double check that first, before getting into any of these Kubernetes packages that try to fetch secrets.