Vault agent injector dynamic secrets

I have setup vault-agent-injector in our k8s cluster which is talking to an external vault server. The injector webhook works perfectly in placing the init container and side car container. The init container does load my secrets onto /vault/secrets , however the sidecar container responsible for syncing the secrets dynamically isn’t seems to do it’s job. In the sidecar logs I do see that it keeps on renewing auth token but never renews the secrets. Can somebody please advise. Also, what’s the default interval for automatic syncing of secrets.

2 Likes

I had the same experience running vault-agent-injector on my k8s cluster using straight default settings in the vault-helm chart. Secrets load on pod startup, but are not updated as they change on the vault server.

Any vault product managers here? Can you straighten us out on this?

1 Like

I also have the same scenario and met the same issue. I updated the secret in Vault server, but inside the pod the injected secrets is not synced.

Hi there,
ran into the same problem and found this closed issue:
https://github.com/hashicorp/vault-k8s/issues/69
So the secret rotations are based on the secrets TTL.

Configuring the kubernetes auth role with eg token_max_ttl=60s ttl=30s token_ttl=30ssolved it for me.

1 Like