Vault Agent Injector - Where is the inject command running?

When injecting secrets with Vault Agent and external Vault server.

There is an annotation vault.hashicorp.com/agent-inject-command

Where is this actually running? Inside the vault agent sidecar? I’ve been wondering because I have an FPM process that requires a reload when a secret changes, I am storing them as files and the agent renders the template, but is unable to reload the fpm process.

1 Like

I have the same question. I would like to run “source /vault/secrets/db-config” where db-config contains export commands for db secrets. But the inject-command seems to do nothing. If I kubectl into the running pod and run source /vault/secrets/db-config then the env variables are set correctly. Is there some logging on what happens when the command is run or?

Using the latest 0.3.0 k8s agent btw

It runs in vault-agent-init container. You can see in pod logs.