Agent Sidecar Injector vault.hashicorp.com/namespace annotation required even if not used.

[Colbize]

Describe the bug When configuring Agent Sidecar Injector in our helm charts for secret injection the annotation vault.hashicorp.com/namespace must exist even if it's not used.

It must exist in annotations and be set to a empty string:

vault.hashicorp.com/namespace: ""

To Reproduce Steps to reproduce the behavior:

1. Deploy application annotated for vault-agent injection.
2. Don't include vault.hashicorp.com/namespace in the annotations:
3. Logs show

   
   ==> Vault agent started! Log data will stream in below:

==> Vault agent configuration: Cgo: disabled Log Level: info Version: Vault v1.10.3 Version Sha: af866591ee60485f05d6e32dd63dde93df686dfb

2022-08-08T21:20:57.716Z [INFO] sink.file: creating file sink 2022-08-08T21:20:57.716Z [INFO] sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r----- 2022-08-08T21:20:57.717Z [INFO] template.server: starting template server 2022-08-08T21:20:57.717Z [INFO] (runner) creating new runner (dry: false, once: false) 2022-08-08T21:20:57.717Z [INFO] sink.server: starting sink server 2022-08-08T21:20:57.717Z [INFO] auth.handler: starting auth handler 2022-08-08T21:20:57.717Z [INFO] auth.handler: authenticating 2022-08-08T21:20:57.717Z [INFO] (runner) creating watcher 2022-08-08T21:21:57.717Z [ERROR] auth.handler: error authenticating: error="context deadline exceeded" backoff=1s 2022-08-08T21:21:58.718Z [INFO] auth.handler: authenticating

Application deployment:

Authentication fails without `vault.hashicorp.com/namespace` 
```yaml
      annotations:
        vault.hashicorp.com/agent-inject: "{{ .Values.vault_agent_inject }}"
        vault.hashicorp.com/role: "{{ .Values.vault_authentication_role }}"
        vault.hashicorp.com/ca-cert: "{{ .Values.vault_ca_cert }}"
        vault.hashicorp.com/client-cert: "{{ .Values.vault_client_cert }}"
        vault.hashicorp.com/client-key: "{{ .Values.vault_client_key }}"
        vault.hashicorp.com/tls-secret:  "{{ .Values.vault_tls_secret }}"
        vault.hashicorp.com/log-level: "{{ .Values.vault_log_level }}"

Authentication works when vault.hashicorp.com/namespace is included

      annotations:
        vault.hashicorp.com/agent-inject: "{{ .Values.vault_agent_inject }}"
        vault.hashicorp.com/namespace: ""
        vault.hashicorp.com/role: "{{ .Values.vault_authentication_role }}"
        vault.hashicorp.com/ca-cert: "{{ .Values.vault_ca_cert }}"
        vault.hashicorp.com/client-cert: "{{ .Values.vault_client_cert }}"
        vault.hashicorp.com/client-key: "{{ .Values.vault_client_key }}"
        vault.hashicorp.com/tls-secret:  "{{ .Values.vault_tls_secret }}"
        vault.hashicorp.com/log-level: "{{ .Values.vault_log_level }}"

Expected behavior Authentication with vault and secret injection.

Environment

• Kubernetes version: AWS EKS 1.22

• vault-k8s version: v1.10.3

[tvoran]

Hi @Colbize, I wonder if your vault-k8s deployment has the environment variable AGENT_INJECT_VAULT_NAMESPACE set? That would set the default vault namespace for all injected vault-agent's, and it sounds like you're needing to override that to be empty in order to get things working.

[Colbize]

Hi @tvoran thanks for responding. We do not have the environment variable AGENT_INJECT_VAULT_NAMESPACE set in our vault server deployment variables. We are deploying vault v1.10.3 via the helm chart.