By default, when secrets are injected into pods via the
agent-inject-secrets annotation, the resulting secrets will be mounted at
/vault/secrets. You can also change the path that that secret can be mounted to via the
secret-volume-path annotation. As the secrets are mounted as a volume, they effectively replace any folder where they are being mounted to. This is important to note, as if the folder is mounted within a pods code, the effect will be of making some of the code look like it has been deleted. As such it is recommended not to use these annotations to place a secret in your application folder and use other annotation to later copy the secrets to another location if deemed necessary.
vault.hashicorp.com/agent-inject-secret - configures Vault Agent to retrieve the secrets from Vault required by the container. The name of the secret is any unique string after
vault.hashicorp.com/agent-inject-secret-, such as
vault.hashicorp.com/agent-inject-secret-foobar. The value is the path in Vault where the secret is located.
vault.hashicorp.com/secret-volume-path - configures where on the filesystem a secret will be rendered. To map a path to a specific secret, use the same unique secret name:
vault.hashicorp.com/secret-volume-path-SECRET-NAME. For example, if a secret annotation
vault.hashicorp.com/agent-inject-secret-foobar is configured,
vault.hashicorp.com/secret-volume-path-foobar would configure where that secret is rendered. If no secret name is provided, this sets the default for all rendered secrets in the pod.