Vault Agent doesn't inject SideCar container to newly created K8S node

We are using HashiCorp Vault to store our secrets and our application runs in Kubernetes. The Authentication method which we are using is 'AppRole' where we have defined the RoleID and the SecretID in a Kubernetes Secret and which is then used to authenticate with the Vault server and gets the Token.

Below are the Annotations which we’ve used in our K8S Deployment manifests.

apiVersion: apps/v1
kind: Deployment
  name: my-pod
      annotations: 'true' 'URL-Of-Vault-Server' 'approle' 'auth/approle' '/vault/custom/role-id' '/vault/custom/secret-id' 'my-approle' 'myrole' 'false' 'kv/mysecrets/secrets' |
          {{ with secret "kv/mysecrets/secrets/" -}}
             export JAVA_TOOL_OPTIONS="-Dzookeeper.ssl.keyStore.password={{ }} "
          {{- end }}
        - name: mycontainer
          image: someimage
          command: [ "/bin/bash" ]
          args: [ '-c', 'source /vault/secrets/config.env && some_command_here' ]

The Vault server runs in another K8S cluster and I’ve installed the Vault Agent in our cluster. It used to work with this setup but, our K8S cluster has the AutoScaling feature enabled. When a new node spins up and when the application pod gets rescheduled in that new node, the SideCar container doesn’t seems to be injected automatically.

Eventually, it shows 1/1 containers. Which means the sidecar is not injected when the Pod got ReScheduled in the newly spin K8S node.

Any idea what is wrong here?

1 Like

I am facing the same issue. If I restart the pod manually then the side car container gets created and I am able to see 2/2 but by default on new node when pod is scheduled the sidecar container is not created and pod status is 1/1.

Can someone please help with this?

@pragya5833 Yeah exactly the same happens for me. Please try using a different agent.

You should look at the Vault injector logs. There’s probably a deployment in your cluster called {{ template "vault.fullname" . }}-agent-injector assuming you installed it via Helm.
You may also check the Vault namespace for API events.
It’s not uncommon for the injector pod(s) to be evicted when the cluster is under pressure.
Make sure you have enough replicas running to avoid unavailability.
Try to spread the pods adequately using topology spread constraints and use priority class.