Howto install a package/binary in vault-agent container?

Hello !

Question about the Vault injector.

We use the vaut-injector to insert databases and others engines credentials inside our pods.
We have a Vault kubernetes role with max_ttl to 1h. So when 2/3 of this time is reach, so 40m, it generate new credentials. Its working great. But the application can’t hot reload with these new credentials.

The goal is when this 2/3 of the max_ttl is reach, we want to generate new pods, with their own new credentials, and let the older one revoke his credentials and die…

So we add this annotations:

vault.hashicorp.com/agent-inject-command-app: kubectl rollout restart deployment application

I found that the define command is running on the vault-injector container. Not our application container.

But the kubectl binary have been installed on our container. And it seems that we can’t add package or binary to the vault-injector container.

So how do we do that with a non-system command ? With consul-template on standard vm, no problem, we can execute whatever we want.

Hope there is a solution to that !
FYI: I set the rbac permission and try to run the kubectl command on our application and its working great.

Thanks !

Hello !

Nobody try to run the kubectl command in the agent-inject-ommand ?
Are we the first ?! I can’t believe that !

Or maybe is that another solution from Vault to rollout restart the pods when 2/3 is reached exist ?
If yes, I am open to learn and test !

See you !