Openshift Conjur integration (Followers outside of the Openshift)

Hello Team - We are planning to integrate opeshift containers with conjur to fetch secrets. The followers are not deployed in Openshift and they are in standalone hosts.

  1. Per my understanding based on the documentation - if the followers are outside the openshift/k8s clusters then, the only supported configuration is to use JWT based authn correct ?

  2. I have a specific question on the below two possible ways to set up the apps.

image

2.1 If we are using the k8s authentication client then does the access token gets stored in plain text (even base 64 encoded) in the shared volume - /run/conjur ? I understand the token has a TTL of 8 mins by default, how can one protect the short lived token that is stored on the volume ?

In order for the container to retrieve secrets, we can use REST API or summon by using the access token stored in the volume mount ?

2.2 If we are going with ‘secrets provider’ route - which is more secure - Push to file or K8s mapped secrets ?

For the k8s mapped secrets then the configMap is configured as below ?
trying to understand what “conjur-map: | -” does.
image

In addition for the push-to file method, is it secure to have the credentials.yaml in hard coded format ?

Thanks,
Kumar