Configmap injection not working

Vault
1

Hello,

I have deployed a Vault ha cluster into my Kubernetes. And I created a secret + a policy that gives access to it . I created a service account + token and I use curl to get a token + vault read to get the secret. All worked fine.

I am trying now to inject the secret into my configmap. Here is the code

apiVersion: v1
kind: ConfigMap
metadata:
  name: alertmanager-config
  namespace: monitoring
data:
  config.hcl: |
    "auto_auth" {
      "method" 
        "kubernetes" {
          "mount_path" = "auth/kubernetes"
          "config" = {
            "role" = "generic_ro"
          }
      }
      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }
        "type" = "file"
      }
    }
    "vault" {
      "address" = "http://vault.vault.svc.cluster.local:8200"
    }
    "template" {
      "source"      = "/vault/templates/alertmanager.yml.ctmpl"
      "destination" = "/etc/alertmanager/alertmanager.yml"
      "wait" {
        min = "2s"
        max = "60s"
      }
    }
  config-init.hcl: |
    "auto_auth" {
      "method" 
        "kubernetes" {
          "mount_path" = "auth/kubernetes"
          "config" = {
            "role" = "generic_ro"
          }
      }
      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }
        "type" = "file"
      }
    }
    "vault" {
      "address" = "http://vault.vault.svc.cluster.local:8200"
    }
    "template" {
      "source"      = "/vault/templates/alertmanager.yml.ctmpl"
      "destination" = "/etc/alertmanager/alertmanager.yml"
      "error_on_missing_key" = "true"
      "wait" {
        min = "2s"
        max = "60s"
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alertmanager
  namespace: monitoring
  labels:
    app: alertmanager
spec:
  replicas: 1
  selector:
    matchLabels:
      app: alertmanager
  template:
    metadata:
      labels:
        app: alertmanager
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-configmap: 'alertmanager-config'
        vault.hashicorp.com/role: 'generic_ro'
...  #omit the rest

It crashs and I got this logs every time :

2025-01-16T16:05:16.823Z [INFO]  agent.sink.file: creating file sink
2025-01-16T16:05:16.824Z [INFO]  agent.sink.file: file sink configured: path=/home/vault/.token mode=-rw-r----- owner=100 group=1000
2025-01-16T16:05:16.827Z [INFO]  agent.exec.server: starting exec server
2025-01-16T16:05:16.827Z [INFO]  agent.exec.server: no env templates or exec config, exiting
2025-01-16T16:05:16.827Z [INFO]  agent.auth.handler: starting auth handler
2025-01-16T16:05:16.827Z [INFO]  agent.auth.handler: authenticating
2025-01-16T16:05:16.827Z [INFO]  agent.sink.server: starting sink server
2025-01-16T16:05:16.827Z [INFO]  agent.template.server: starting template server
2025-01-16T16:05:16.827Z [INFO]  agent: (runner) creating new runner (dry: false, once: false)
2025-01-16T16:05:16.828Z [INFO]  agent: (runner) creating watcher
2025-01-16T16:05:16.828Z [INFO]  agent.template.server: template server stopped
2025-01-16T16:05:16.828Z [INFO]  agent.sink.server: sink server stopped
2025-01-16T16:05:16.828Z [INFO]  agent: sinks finished, exiting
2025-01-16T16:05:16.828Z [INFO]  agent.exec.server: exec server stopped
2025-01-16T16:05:16.828Z [ERROR] agent.auth.handler: error authenticating: error="context canceled" backoff=930ms
2025-01-16T16:05:16.828Z [INFO]  agent.auth.handler: auth handler stopped
2025-01-16T16:05:16.829Z [ERROR] agent: runtime error encountered: error="template server failed to create: failed to read template: open /vault/templates/alertmanager.yml.ctmpl: no such file or directory" exitCode=1
Error encountered during run, refer to logs for more details.

Any idea ? Did I miss something ?