When the injector is deployed with AGENT_INJECT_VAULT_AUTH_TYPE set to jwt, or when using vault.hashicorp.com/auth-type: jwt annotation, the generated (simplified) agent config looks like this:
This is invalid because the jwt auth uses path rather than token_path config parameter. This appears to be set here.
In addition, it may be beneficial to set remove_jwt_after_reading to false by default because removing the token fails due to the projected volume being read-only.
We're currently using the following annotations to work around these issues:
When the injector is deployed with
AGENT_INJECT_VAULT_AUTH_TYPE
set tojwt
, or when usingvault.hashicorp.com/auth-type: jwt
annotation, the generated (simplified) agent config looks like this:This is invalid because the
jwt
auth usespath
rather thantoken_path
config parameter. This appears to be set here.In addition, it may be beneficial to set
remove_jwt_after_reading
tofalse
by default because removing the token fails due to the projected volume being read-only.We're currently using the following annotations to work around these issues: