Vault injector version: 1.3.0
Vault version: 1.14.1
The injector was suddenly no inject sidecar to the pod since last week. I tested If I apply Pod manifest is able to inject sidecar, but Deployment manifest cannot inject sidecar.
The injector works expected in production environment, and the configuration was the same.
Helm values:
injector:
enabled: "true"
image:
repository: "registry.internal/vault/vault-injector"
tag: "1.3.0"
agentImage:
repository: "registry.internal/vault/vault"
tag: "1.14.1"
externalVaultAddr: "https://vault-qa.internal:8200"
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m
authPath: "auth/rancher-qa"
metrics:
enabled: true
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: /metrics
prometheus.io/port: '8080'
Test deployment manifest:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: test
replicas: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'data'
vault.hashicorp.com/tls-secret: 'injector-tls'
vault.hashicorp.com/client-cert: '/vault/tls/tls.crt'
vault.hashicorp.com/client-key: '/vault/tls/tls.key'
vault.hashicorp.com/ca-cert: '/vault/tls/ca.crt'
vault.hashicorp.com/log-level: 'debug'
vault.hashicorp.com/agent-inject-secret-config.yaml: 'kv/qa/data/ai1/export'
vault.hashicorp.com/agent-inject-template-config.yaml: |
{{ with secret "kv/qa/data/ai1/export" }}
secrets:
username: {{ .Data.data.username }}
password: {{ .Data.data.password }}
{{ end }}
labels:
app: test
spec:
serviceAccountName: data
containers:
- name: test
image: registry.internal/test/busybox:1.0.0
command:
- sleep
- "36000"
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
Pod test manifest:
apiVersion: v1
kind: Pod
metadata:
name: test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'data'
vault.hashicorp.com/tls-secret: 'injector-tls'
vault.hashicorp.com/client-cert: '/vault/tls/tls.crt'
vault.hashicorp.com/client-key: '/vault/tls/tls.key'
vault.hashicorp.com/ca-cert: '/vault/tls/ca.crt'
vault.hashicorp.com/agent-inject-secret-config.yaml: 'kv/qa/data/ai1/export'
vault.hashicorp.com/agent-inject-template-config.yaml: |
{{ with secret "kv/qa-fra1/data/ai1/export" }}
secrets:
username: {{ .Data.data.username }}
password: {{ .Data.data.password }}
{{ end }}
labels:
app: test
spec:
serviceAccountName: data
containers:
- name: test
image: registry.internal/test/busybox:1.0.0
command:
- sleep
- "36000"
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
Injector logs:
2023-09-26T13:44:26.865Z [INFO] handler: Request received: Method=POST URL=/mutate?timeout=30s
2023-09-26T13:44:26.880Z [DEBUG] handler: checking if should inject agent..
2023-09-26T13:44:26.880Z [DEBUG] handler: checking namespaces..
2023-09-26T13:44:26.880Z [DEBUG] handler: setting default annotations..
2023-09-26T13:44:26.880Z [DEBUG] handler: creating new agent..
2023-09-26T13:44:26.880Z [DEBUG] handler: validating agent configuration..
2023-09-26T13:44:26.880Z [DEBUG] handler: creating patches for the pod..
2023-09-26T13:56:08.961Z [INFO] handler: Request received: Method=POST URL=/mutate?timeout=30s
2023-09-26T13:56:08.964Z [DEBUG] handler: checking if should inject agent..
2023-09-26T13:56:08.971Z [INFO] handler: Request received: Method=POST URL=/mutate?timeout=30s
2023-09-26T13:56:08.974Z [DEBUG] handler: checking if should inject agent..
2023-09-26T14:18:14.201Z [INFO] handler: Request received: Method=POST URL=/mutate?timeout=30s
The Deployment manifest deploy to the cluster, there was no log, and the Pod test manifest showed those logs.