Description

With hashivault KMS-based validation the following environment variables must be set:
VAULT_ADDR: probably a static value.
VAULT_TOKEN: usually a dynamic value that is retrieved by authenticating to vault and cannot be statically passed.

The fact that the VAULT_TOKEN is expected as a (immutable) environment variable is a problem for a long-running process as Vault tokens have a TTL and the best practice is to make them short-lived.

Additionally, when running in Kubernetes its a safe assumption that the kube authentication method will be used. For this to work, two more pieces of information are required:

1. the authentication path.
2. the requested role.

At the moment the policy-controller does not know how to authenticate to Vault.
The next best option is to use the vault agent as a pod sidecar to retrieve the VAULT_TOKEN. In this case the policy-controller would need to be able to read a file before every attempt to connect to Vault

So here is the RFE:

1. [best] support for kube authentication approach from withing the policy controller.
2. [fall-back] support for reading the token from a file instead than from an environment variable.