aws-secret-sidecar-injector icon indicating copy to clipboard operation
aws-secret-sidecar-injector copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Feature Request: inject secrets into init containers

Open artazar opened this issue 3 years ago • 2 comments

In case a pod definition contains init containers, e.g. for bootstrapping a database prior to the launch, they do not inherit the same injected secrets as the main container does.

It would be nice if aws-secret-sidecar-injector could add the default set of volume mounts to all containers that take part in the pod lifecycle.

artazar avatar Feb 16 '21 04:02 artazar

@artazar I don't know if there is a good way to guarantee that the secret sidecar starts before other init containers. Ordinarily, init containers are started in the order in which they appear in the Spec, but we're injecting the sidecar through a mutating webhook. We would probably need to modify the webhook to enumerate the pods init containers and re-create the array of init containers so that the secret-sidecar always starts first. @amit0701

jicowan avatar Mar 02 '21 16:03 jicowan

@artazar I just merged a PR which would add the secret-sidecar as the first initContainer. This would make sure that the secret sidecar is started first. However, if I understand your request, you would like the admission controller to add the mounts for the secret volume in the remaining init containers as well. In the meanwhile, a workaround would be manually edit the pod after the initial mutation is done to add volumes for "secret-vol" in the remaining init containers

amit0701 avatar Mar 22 '21 23:03 amit0701