Agent Sidecar Injector reads secret with delay

pollinaria · February 24, 2022, 2:12pm

Hello!

I use Agent Sidecar Injector in Kubernetes and it reads secrets with a delay.
If my pod starts with this entrypoint script,

SECRETS=$(ls /vault/secrets)

for secretFile in $SECRETS; do
cat /vault/secrets/$secretFile >> /vaultEnvs
done

file /vaultEnvs is empty.
But if I add a few seconds pause before it, everything is OK

sleep 15

SECRETS=$(ls /vault/secrets)

for secretFile in $SECRETS; do
cat /vault/secrets/$secretFile >> /vaultEnvs
done

Is it possible for Agent Sidecar Injector read secret immediately without a delay?

RemcoBuddelmeijer · February 26, 2022, 9:14pm

Is your pod an init-container or a normal running container?

In case you run an init-container, you can add the following annotation to ensure correct startup order vault.hashicorp.com/agent-init-first.

If you want to ensure that the secrets are pre-populated (this is done in another init-container), you can use the http://vault.hashicorp.com/agent-pre-populate annotation. This can be done for both the type of containers.

Topic		Replies	Views
Vault-agent-injector racing condition when application pods utilizing vault-sidecar come up faster then vault Vault k8s , vault	7	2755	November 2, 2021
About the method of pulling secret to the application on kubernetes Vault	1	287	March 23, 2022
Write secrets from pod using agent-sidecar? Vault k8s , vault	2	296	July 1, 2022
Kubernetes Vault Agent Init Container Only Vault	0	445	January 11, 2021
Vault agent injector dynamic secrets Vault	3	1044	April 17, 2020

Agent Sidecar Injector reads secret with delay

Related topics