Injected config tries to use IRSA token instead of the k8s service account token

[cm3lindsay]

Describe the bug When the Vault Agent sidecar is injected into a pod that is also injected with IRSA, the token_path uses the IRSA token instead of the actual Kubernetes service account token even when configured to use the Kubernetes auth method. This prevents the Vault Agent sidecar from being able to authenticate to Vault.

To Reproduce Steps to reproduce the behavior:

1. Deploy pod annotated for vault-agent injection that is configured to use a service account that has an IRSA annotation.
2. Vault Agent logs will show failed authentication requests
3. Inspecting the containers VAULT_CONFIG env variable will show that token_path is configured to use /var/run/secrets/eks.amazonaws.com/serviceaccount instead of var/run/secrets/kubernetes.io/serviceaccount.

Expected behavior Vault agent is able to authenticate to Vault using the Kubernetes auth method without having to specify vault.hashicorp.com/auth-config-token-path to ensure the wrong token is not used.

Environment

• Kubernetes version:
  • EKS 1.24
• vault-k8s version:
  • 1.3.1

Additional context We discovered this problem after configuring the Vault Injector to use an external address.

The need to use vault.hashicorp.com/auth-config-token-path as a workaround is mentioned in https://github.com/hashicorp/vault-k8s/issues/456#issuecomment-1503457172, however I believe this should not have to be necessary.