Vault Agent Injector
Definition
Vault Agent Injector is a component of HashiCorp Vault that automates the injection of secrets into Kubernetes pods. It works by mutating pod specifications to include an init container and sidecar container, which handle the retrieval and management of secrets from Vault. This allows applications running within the pods to securely access secrets without embedding them in the application code or configuration files.
Secure Settings Example
apiVersion: v1
kind: Pod
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "my-app-role"
vault.hashicorp.com/agent-inject-secret-config: "secret/data/myapp/config"
spec:
containers:
- name: myapp
image: myapp:latest
Insecure Settings Example
apiVersion: v1
kind: Pod
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "my-app-role"
vault.hashicorp.com/agent-inject-secret-config: "secret/data/myapp/config"
spec:
containers:
- name: myapp
image: myapp:latest
env:
- name: VAULT_TOKEN
value: "hardcoded-token"