Vault agent not mounting translated configuration when running as initContainer

[suneclausen]

Preflight Checklist

• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I am not looking for support or already pursued the available support channels without success.
• [X] I agree to follow the Code of Conduct.

Vault Secrets Webhook Version

1.20.0

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.29.0

Kubernetes Distribution/Provisioner

k3d

Expected Behavior

When setting the annotations

  vault.security.banzaicloud.io/vault-agent: "true"
  vault.security.banzaicloud.io/vault-agent-configmap: test-configmap

it is expected that:

• The injected vault-agent in the pod will be running as an initContainer
• The initContainer will have mountVolume "agent-secrets" and will write the translated config defined in the pointed out "test-configmap" to the mountVolume
• The webhook will ensure all containers in the pod get the mountVolume "agent-secrets" such that they have access to the translated config from the configmap

Actual Behavior

When setting the annotation vault.security.banzaicloud.io/vault-agent: "true" in a pod, then the vault-agent will start as an initContainer. However, it will not have the "agent-secrets" volume as a mountVolume. Neither will any other container in the pod, which means they cannot get the translated configuration either.

The problem probably arises from here https://github.com/bank-vaults/vault-secrets-webhook/blob/main/pkg/webhook/pod.go#L199

It would be nice to have it clarified whether or not this in intentional behavior? Otherwise, I am open for trying to fix it.

Steps To Reproduce

Applying the following manifests should detail the error. Please replace serviceaccount, vault role and a vault secret path with something that exist in your environment.

apiVersion: v1
kind: ConfigMap
metadata:
  name: test-configmap
  namespace: <your namespace>
data:
  config.hcl: |-
    vault {
      retry {
        backoff = "1s"
      }
    }
    auto_auth {
      method "kubernetes" {
        mount_path = "auth/kubernetes"
        config = {
          role = "<REPLACE WITH YOUR ROLE>"
        }
      }
      sink "file" {
        config = {
          path = "/vault/.vault-token"
        }
      }
    }
    template {
      destination = "/vault/secrets/test/config.conf"
      contents = <<-EOH
      {{- with secret "secret/data/<REPLACE WITH A SECRET IN YOUR VAULT>" }}
      secret_value_fetched_from_vault= {{ .Data.data.<KEY> }}
      {{- end }}
      EOH
    }

---
apiVersion: v1
kind: Pod
metadata:
  name: mount-vault-agent-template-as-initcontainer
  namespace: <your namespace>
  annotations:
    vault.security.banzaicloud.io/vault-addr: https://vault.vault.svc.cluster.local:8200
    vault.security.banzaicloud.io/vault-skip-verify: "true"
    vault.security.banzaicloud.io/vault-path: kubernetes
    vault.security.banzaicloud.io/vault-env-passthrough: VAULT_ADDR,VAULT_ROLE
    vault.security.banzaicloud.io/vault-role: <your role>

    vault.security.banzaicloud.io/vault-agent-configmap: test-configmap
    vault.security.banzaicloud.io/vault-agent: "true"
spec:
  serviceAccountName: <your service account>
  restartPolicy: OnFailure
  containers:
  - name: cat-secret-config
    image: busybox:latest
    command:
    - bin/sh
    - -c  
    - |
      while true; do
        if [[ -f "/vault/secrets/test/config.conf" ]]; then 
          cat "/vault/secrets/test/config.conf"
          exit 0
        else
          echo "/vault/secrets/test/config.conf not created by vault-agent"
          sleep 10
        fi
      done
    imagePullPolicy: IfNotPresent

Configuration

No response

Logs

No response

Additional Information

No response

[jarnfast]

This is still relevant. Needs triage.