Each API has an Authentication section that specifies how to authenticate to Vault. Here is an example:
authentication:
path: kubernetes
role: policy-admin
namespace: tenant-namespace
serviceAccount:
name: vaultsaThe path field specifies the path at which the Kubernetes authentication role is mounted.
The role field specifies which role to request when authenticating
The namespace field specifies the Vault namespace (not related to Kubernetes namespace) to use. This is optional.
The serviceAccount.name specifies the token of which service account to use during the authentication process.
So the above configuration roughly correspond to the following command:
vault write [tenant-namespace/]auth/kubernetes/login role=policy-admin jwt=<vaultsa jwt token>