Our application runs on Kubernetes and secrets are basically stored in HashiCorp Vault. We are using the AppRole Authentication method where the Vault agent resides in the same cluster but, the Vault Server runs in a different Kubernetes cluster.
I’m passing the below annotations to my Kubernetes manifests but the issue I’m having is, when the Pod gets automatically ReScheduled (Due to autoscaling etc.) the Vault agent doesn’t inject the SideCar container to the newly rescheduled pod.
NOTE: This only happens when the Pod gets ReScheduled automatically.
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-vault-addr: 'URL-Of-Vault-Server'
vault.hashicorp.com/auth-type: 'approle'
vault.hashicorp.com/auth-path: 'auth/approle'
vault.hashicorp.com/auth-config-role-id-file-path: '/vault/custom/role-id'
vault.hashicorp.com/auth-config-secret-id-file-path: '/vault/custom/secret-id'
vault.hashicorp.com/agent-extra-secret: 'my-approle'
vault.hashicorp.com/role: 'myrole'
vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading: 'false'
vault.hashicorp.com/agent-inject-secret-config.env: 'kv/mysecrets/secrets'
vault.hashicorp.com/agent-inject-template-config.env: |
{{ with secret "kv/mysecrets/secrets/" -}}
export JAVA_TOOL_OPTIONS="Some_Key={{ .Data.data.SECRET }} "
{{- end }}
Any idea why it doesn’t inject the SideCar container to the newly rescheduled pods?
Do I need to pass these Annotations also?
vault.hashicorp.com/agent-inject-status
vault.hashicorp.com/agent-pre-populate