Vault Sidecar Removes Annotations from Pod

[celestialorb]

trafficstars

Description I have a custom annotation on the pod template of a deployment that utilizes the Talend Vault sidecar injector. When using the sidecar annotations to inject static secrets as environment variables, the pod loses the custom annotation.

Reproduction Create a basic deployment with Vault sidecar injection enabled from static secrets using the environment variable (env) injection method and a custom, unrelated annotation on the pod template metadata. The unrelated annotation will not exist on the pod. Switch the sidecar.vault.talend.org/inject annotation to false and redeploy and the resultant pod will have the unrelated annotation.

Expected Behavior I would expect unrelated annotations to be preserved on the pod.

Environment:

• Kubernetes
  • cluster: EKS
  • v1.20
• Vault Sidecar Injector
  • version: 7.2.1
  • chart version: 4.3.1

Logs of Vault Sidecar Injector pod(s)

I'm assuming this is due to the MutatingWebhook, as it seems the patch operation might be replacing all annotations from this line I found in the logs of the Vault sidecar injector:

{"op":"add","path":"/metadata/annotations","value":{"sidecar.vault.talend.org/status":"injected"}}

This type of patch operation removes all annotations and adds in just the one specified. I'd recommend changing it to one that just adds the single annotation you're interested in:

{"op":"add","path":"/metadata/annotations/sidecar.vault.talend.org~1status","value":"injected"}