Agent Sidecar Injector - Why is agent-inject-secret required if agent-inject-template is specified?

Hi, I am successfully using the Agent Sidecar Injector to inject secrets into my kubernetes cluster via annotations in my deployment, but there seems to be some redundancy in the way the annotations have been implemented. I have experimented a bit and this is what I have found.

If only the agent-inject-secret annotation is supplied, then all works well and the secret at the specified path is used.

If however I also specify a agent-inject-template, then the secret specified in the agent-inject-secret annotation is ignored and only what I specify in the template is used. I then tried only specifying the agent-inject-template but then nothing is rendered.

Point being I think the documentation should probably be updated to indicate this behavior, or allow specifying a template by itself.

To illustrate, with the config below, the ‘some/unrelated/secret’ as far as I can tell, has zero value and is confusing to the reader. The agent-inject-template annotation as far as I can tell contains all of the information needed - the filename, and the secrets, so why also require the agent-inject-secret in this case? 'some/unrelated/secret' |
  {{- with secret "database/creds/db-app" -}}
  postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable
  {{- end }} 'app'

At the bottom of the documentation page, there is a “Edit” button, which sends you to github where you can modify the documentation and create a pull request. That’s the best way to give feedback and improve the documentation.

Hi Aram,

Ok great, thank you. I am definitely willing to have a stab at updating the documentation, but wouldn’t it be better to fix the current behavior? I have only just started using Vault, and I don’t know enough about the inner workings of the project to know why it behaves like this. Perhaps someone with more experience can shed some light on this before I update the documentation?


This is a bit of a hard one, but care for me to explain.
The injector is there for easy translation between Kubernetes, Vault and the Vault Agent. While it might feel a bit redundant to first have to define what secret to fetch only to then override it with a new template; It is completely valid.

Whenever you define what secret to fetch it comes with a default template. This means that the secret is not overriden later on, as it is an indicator which secret to fetch.

{{ with secret "some/unrelated/secret" }}
{{ range $k, $v := .Data }}
{{ $k }}: {{ $v }}
{{ end }}
{{ end }}

This template is then handed to the Vault Agent itself.

The templating annotation is there simply to override this annotation.
With this I think that the behaviour is valid, and I disagree with that the template should be useable on its own. They simply belong to each other.
Removing the requirement for the secret and allowing the template to be defined standalone instead will allow to create a lot of confusion. Both use cases would then work, yet they work together and standalone. This feels a bit iffy.

I hope this explains a bit the difference between the secret annotation and the secret-template annotation, and their respective use cases!

1 Like