docs: update vault-k8s to 0.9.0 (#11138)

* docs: update vault-k8s to 0.9.0

* Fix typos

* Update website/content/docs/platform/k8s/injector/examples.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/injector/annotations.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Add links for auto-auth

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

website/content/docs/platform/k8s/injector/annotations.mdx

@@ -29,7 +29,7 @@ them, optional commands to run, etc.
 
 - `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This
   value overrides the default image configured in the controller and is usually
-  not needed. Defaults to `vault:1.4.2`.
+  not needed. Defaults to `vault:1.6.3`.
 
 - `vault.hashicorp.com/agent-init-first` - configures the pod to run the Vault Agent
   init container first if `true` (last if `false`). This is useful when other init
@@ -144,7 +144,10 @@ them, optional commands to run, etc.
   (uid 0), the `run-as-same-user` annotation will fail injection with an error.
 
 - `vault.hashicorp.com/agent-cache-enable` - configures Vault Agent to enable
-  [caching](/docs/agent/caching). Defaults to `false`.
+  [caching](/docs/agent/caching). In Vault 1.7+ this annotation will also enable 
+  a Vault Agent persistent cache. This persistent cache will be shared between the init 
+  and sidecar container to reuse tokens and leases retrieved by the init container. 
+  Defaults to `false`. 
 
 - `vault.hashicorp.com/agent-cache-use-auto-auth-token` - configures Vault Agent cache
   to authenticate on behalf of the requester. Set to `force` to enable. Disabled
@@ -163,9 +166,21 @@ Vault annotations change how the Vault Agent containers communicate with Vault.
 example, Vault's address, TLS certificates to use, client parameters such as timeouts,
 etc.
 
-- `vault.hashicorp.com/auth-path` - configures the auth path for the Kubernetes
+- `vault.hashicorp.com/auth-config` - configures additional parameters for the configured 
+  authentication method. The name of the config is any unique string after 
+  `vault.hashicorp.com/auth-config-`, such as `vault.hashicorp.com/auth-config-role-id-file-path`. 
+  This annotation can be reused multiple times to configure multiple settings for the authentication
+  method. Some authentication methods may require additional secrets and should be mounted via the 
+  `vault.hashicorp.com/agent-extra-secret` annotation. For a list of valid authentication configurations, 
+  see the Vault Agent [auto-auth documentation](/docs/agent/autoauth/methods).
+
+- `vault.hashicorp.com/auth-path` - configures the authentication path for the Kubernetes
   auth method. Defaults to `auth/kubernetes`.
 
+- `vault.hashicorp.com/auth-type` - configures the authentication type for Vault Agent.
+  Defaults to `kubernetes`. For a list of valid authentication methods, see the Vault Agent 
+  [auto-auth documentation](/docs/agent/autoauth/methods).
+
 - `vault.hashicorp.com/ca-cert` - path of the CA certificate used to verify Vault's
   TLS.
 
@@ -194,6 +209,9 @@ etc.
 - `vault.hashicorp.com/namespace` - configures the Vault Enterprise namespace to
   be used when requesting secrets from Vault.
 
+- `vault.hashicorp.com/proxy-address` - configures the HTTP proxy to use when connecting 
+  to a Vault server.
+
 - `vault.hashicorp.com/role` - configures the Vault role used by the Vault Agent
   auto-auth method. Required when `vault.hashicorp.com/agent-configmap` is not set.
 
@@ -209,4 +227,4 @@ etc.
 
 - `vault.hashicorp.com/tls-skip-verify` - if true, configures the Vault Agent to
   skip verification of Vault's TLS certificate. It's not recommended to set this
-  value to true in a production environment.
+  value to true in a production environment.

website/content/docs/platform/k8s/injector/examples.mdx

@@ -290,3 +290,52 @@ spec:
           ports:
             - containerPort: 9090
 ```
+
+## AppRole Authentication
+
+The following example demonstrates how the AppRole authentication method can be used by 
+Vault Agent for retrieving secrets. A Kubernetes secret containing the AppRole secret ID 
+and role ID should be created first.
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web-deployment
+  labels:
+    app: web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-extra-secret: "approle-example"
+        vault.hashicorp.com/auth-type: "approle"
+        vault.hashicorp.com/auth-path: "auth/approle"
+        vault.hashicorp.com/auth-config-role-id-file-path: "/vault/custom/role-id"
+        vault.hashicorp.com/auth-config-secret-id-file-path: "/vault/custom/secret-id"
+        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
+        vault.hashicorp.com/agent-inject-template-db-creds: |
+          {{- with secret "database/creds/db-app" -}}
+          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres.postgres.svc:5432/wizard?sslmode=disable
+          {{- end }}
+        vault.hashicorp.com/role: "my-role"
+        vault.hashicorp.com/tls-secret: "vault-tls"
+        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
+    spec:
+      serviceAccountName: web
+      containers:
+        - name: web
+          image: alpine:latest
+          args:
+            ['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']
+          ports:
+            - containerPort: 9090
+```

website/content/docs/platform/k8s/injector/index.mdx

@@ -50,15 +50,15 @@ useful to customize Vault Agent beyond what the provided annotations offer.
 ### Authenticating with Vault
 
 The primary method of authentication with Vault when using the Vault Agent Injector
-is the service account attached to the pod. At this time, no other authentication
+is the service account attached to the pod. Other authentication methods can be configured 
-method is supported by the controller.
+using annotations.
 
-The service account must be bound to a Vault role and a policy granting access to
+For Kubernetes authentication, the service account must be bound to a Vault role and a 
-the secrets desired.
+policy granting access to the secrets desired.
 
-A service account must be present to use the Vault Agent Injector. It is _not_
+A service account must be present to use the Vault Agent Injector with the Kubernetes 
-recommended to bind Vault roles to the default service account provided to pods
+authentication method. It is _not_ recommended to bind Vault roles to the default service 
-if no service account is defined.
+account provided to pods if no service account is defined.
 
 ### Requesting Secrets