Passing extraSecretEnvironmentVars in Vault deployment using Helm

I have created a secret in my Kubernetes cluster to be able to be picked up from my Helm deployment but when I check my vault pod I see the following instead of the actual value of my secret.

  value: "[map[envName:VAULT_TOKEN secretKey:VAULT_TOKEN secretName:vault-secret]]"

My values.yaml have the following config:

      - envName: VAULT_TOKEN
        secretName: vault-secret
        secretKey: VAULT_TOKEN

This was working fine in another environment but for some reason, it is not picking up the secret value and instead mapping it. For context, I used this secret as an ENV in my vault stateful set in order to be able to run the raft snapshot command in an automated fashion.

Can you share more information regarding this?
I have used this configuration ant it works perfectly fine.

- envName: ENV_VAR_NAME
secretName: SECRET_NAME
secretKey: SECRET_KEY

You will also need to have the seal stanza, even though with empty values:

    seal "<awskms>/<azurekeyvault>" {
      client_id      = ""
      client_secret  = ""
      tenant_id      = ""
      vault_name     = ""
      key_name       = ""

Maybe you can do this and check again.

This same configuration works perfectly in another environment as well. I deployed Vault with the official hashicorp vault and vault-k8s images using Helm. Before I ran helm install, I created a secret in my cluster in the same namespace as vault is running in.

My secret:

~ kubectl get secret vault-secret -n vault -o yaml

apiVersion: v1
kind: Secret
  creationTimestamp: "2023-11-26T19:27:08Z"
  name: vault-secret
  namespace: vault
  resourceVersion: "44572042"
  uid: ***
type: Opaque

The token itself is wrapped but that is the case in my other env as well.

My helm config:

      - envName: VAULT_TOKEN
        secretName: vault-secret
        secretKey: VAULT_TOKEN

My env output from the pod itself:

/ $ env | grep TOKEN
EXTRASECRETENVIRONMENTVARS=[map[envName:VAULT_TOKEN secretKey:VAULT_TOKEN secretName:vault-secret]]

Note that the ENV name itself is showing up as EXTRASECRETENVIRONMENTVARS and not VAULT_TOKEN

I use auto unseal with azure keyvault, which is working just fine but here is the config:

        seal "azurekeyvault" {
          tenant_id      = ""
          client_id      = ""
          client_secret  = ""
          vault_name     = ""
          key_name       = ""

Note that I am using the free tier of vault.

To automate snapshots I run the following script within my pod. Throwing this in here just in case:

# Authenticate into Vault

# Navigate to snapshot Directory 
cd "$snapshot_dir" || exit 1

# Delete old snapshots
rm -f "${snapshot_prefix}*"

# Take snapshot of Raft Leader
while ! vault operator raft snapshot save "$latest_snapshot"; do
  echo "Taking snapshot failed. Retrying..."
  sleep 1

echo "Snapshot taken successfully."

Correction, I create the secret after deploying Vault since the token gets created afterward.

@glisav Anything else you can suggest checking?