Vault Agent Injector - Where is the inject command running?

When injecting secrets with Vault Agent and external Vault server.

There is an annotation vault.hashicorp.com/agent-inject-command

Where is this actually running? Inside the vault agent sidecar? I’ve been wondering because I have an FPM process that requires a reload when a secret changes, I am storing them as files and the agent renders the template, but is unable to reload the fpm process.

1 Like

I have the same question. I would like to run “source /vault/secrets/db-config” where db-config contains export commands for db secrets. But the inject-command seems to do nothing. If I kubectl into the running pod and run source /vault/secrets/db-config then the env variables are set correctly. Is there some logging on what happens when the command is run or?

Using the latest 0.3.0 k8s agent btw

It runs in vault-agent-init container. You can see in pod logs.

1 Like

It sounds like it is not that useful to run a command in the init or sidecar container compared to the container where the secret is actually injected. I face the same problem, I want to gracefully reload PHP (by sending SIGUSR2 to its master process) when a secret changes.
Is there any other way to do this after a secret is injected?