vault-secrets-webhook
vault-secrets-webhook copied to clipboard
bank-vaults
Sometimes pods are created without init container copy-vault-env
Preflight Checklist
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I am not looking for support or already pursued the available support channels without success.
- [X] I agree to follow the Code of Conduct.
Vault Secrets Webhook Version
1.19.0
Installation Type
Official Helm chart
Bank-Vaults Version
1.6.2
Kubernetes Version
1.23
Kubernetes Distribution/Provisioner
MSK
Expected Behavior
Running the init container copy_vault_env always together with the pod
Actual Behavior
recently got a k8s cluster at my disposal, it has vault v1.6.2 installed, as well as vault-operator and vault-secrets-webhook v1.19.0 from banzaicloud.
The support team began to notice that sometimes pods and jobs start without copy-vault-env init container. Because of this, they do not have access to the vault secrets, and use only the paths in their configuration (secrets are mapped from the config map to ENV, if this is important). The only solution to the problem is deleting the pod and creating it again (with the same configuration and annotations). At the same time, I don’t find any errors in the vault-operator and vault-secrets-webhook logs, the logs are in debug mode.
Please tell me what can be done in this situation, are there any options for analyzing this problem?
Steps To Reproduce
No response
Configuration
No response
Logs
No response
Additional Information
No response
We observe this as well (version 1.21.0) and found this issue to be the closest to our problem: #254 Sadly there's no reliable workaround right now. It's currently blocking us from deploying the secrets webhook to production.
Closing in favor of the same issue: https://github.com/bank-vaults/vault-secrets-webhook/issues/254
