Vault Agent Injector - Where is the inject command running?

When injecting secrets with Vault Agent and external Vault server.

There is an annotation

Where is this actually running? Inside the vault agent sidecar? I’ve been wondering because I have an FPM process that requires a reload when a secret changes, I am storing them as files and the agent renders the template, but is unable to reload the fpm process.

1 Like

I have the same question. I would like to run “source /vault/secrets/db-config” where db-config contains export commands for db secrets. But the inject-command seems to do nothing. If I kubectl into the running pod and run source /vault/secrets/db-config then the env variables are set correctly. Is there some logging on what happens when the command is run or?

Using the latest 0.3.0 k8s agent btw

It runs in vault-agent-init container. You can see in pod logs.

1 Like

It sounds like it is not that useful to run a command in the init or sidecar container compared to the container where the secret is actually injected. I face the same problem, I want to gracefully reload PHP (by sending SIGUSR2 to its master process) when a secret changes.
Is there any other way to do this after a secret is injected?

There is a benefit using the agent-inject-command while it runs in init container.
For example you have an Java application which reads some property file. It can be either some yaml file or .properties file.
When it tried that i was ending with errors in annotations so i did use the agent-inject-command to perform stuff like:
mv /vault/secret/config /vault/secret/config.yaml