Option to disable auto-auth

[FalconerTC]

An option to run the agent without auto-auth, expecting the user to share a token by volume, would be helpful. I'd like to run this in a local Kind cluster where Kubernetes authentication is impossible. I see support for multiple auth methods is being added, but being able to inject a token would be pretty helpful.

[jasonodonnell]

Thanks for the feature request @FalconerTC, we'll take a look at adding this. And as always, contributions welcome! 😄

[FalconerTC]

I'd be open to contributing a solution for this if you had some thoughts on how best to achieve this functionality. I'm not actually sure if you can have a Vault agent populate a template without supplying an auto-auth section, but I'm no expert. Waiting for #213 and then using approle might make more sense

[pbar1]

An option to run the agent without auto-auth, expecting the user to share a token by volume, would be helpful. I'd like to run this in a local Kind cluster where Kubernetes authentication is impossible. I see support for multiple auth methods is being added, but being able to inject a token would be pretty helpful.

Here's a gist of one of my scripts used when developing K8s tooling. It stands up a Kind cluster, provisions Vault on it, and provisions the Kubernetes Auth Method on that Vault.

[FalconerTC]

Interesting gist! It's still relying on the fact that the Vault server is running in Kind as well though, right? As far as I can tell, there isn't a good way of having a local cluster authenticate with an external central Vault server, except maybe with a persistent port-forward of some kind.

[pbar1]

The Vault server happens to be running in Kind, but it could as well be external. In that case, the K8s API just has to be exposed and accessible by the Vault server.

This line configures the K8s Auth method, so just swap out the var K8S_HOST for your external K8s addr

Or, uncomment this line and it'll just read your K8s host from the current kubeconfig