By default, when secrets are injected into pods via the annotation, the resulting secrets will be mounted at . You can also change the path that that secret can be mounted to via the annotation. As the secrets are mounted as a volume, they effectively replace any folder where they are being mounted to. This is important to note, as if the folder is mounted within a pods code, the effect will be of making some of the code look like it has been deleted. As such it is recommended not to use these annotations to place a secret in your application folder and use other annotation to later copy the secrets to another location if deemed necessary.
-
vault.hashicorp.com/agent-inject-secret - configures Vault Agent to retrieve the secrets from Vault required by the container. The name of the secret is any unique string after
vault.hashicorp.com/agent-inject-secret-, such asvault.hashicorp.com/agent-inject-secret-foobar. The value is the path in Vault where the secret is located. -
vault.hashicorp.com/secret-volume-path - configures where on the filesystem a secret will be rendered. To map a path to a specific secret, use the same unique secret name:
vault.hashicorp.com/secret-volume-path-SECRET-NAME. For example, if a secret annotationvault.hashicorp.com/agent-inject-secret-foobaris configured,vault.hashicorp.com/secret-volume-path-foobarwould configure where that secret is rendered. If no secret name is provided, this sets the default for all rendered secrets in the pod.