We are using vault injection to source environment variables during container startup.
We only have a need to do this during startup, and do not need to retrieve updates after that point. We have been looking for a way to disable the sidecar injection, but have been unsuccessful so far.
The documentation states the following (emphasis mine):
Next, two types of Vault Agent containers can be injected: init and sidecar. The init container will prepopulate the shared memory volume with the requested secrets prior to the other containers starting. The sidecar container will continue to authenticate and render secrets to the same location as the pod runs. Using annotations, the initialization and sidecar containers may be disabled.
And that's the last it's mentioned. It does not state anywhere which annotations accomplish this, and on the documentation page for annotations does not seem to list any annotations that accomplish this.
Has anyone been able to get this working?
After digging through the source code for the agent injector, I have been able to track down that the annotation that controls this behaviour is called:
vault.hashicorp.com/agent-pre-populate-only
the documentation for the annotation states the following:
configures whether an init container is the only injected container. If true, no sidecar container will be injected at runtime of the pod. Enabling this option is recommended for workloads of type CronJob or Job to ensure a clean pod termination.
The name of the annotation is what made it hard to find in the list of annotations. The vault documentation should be updated to mention in the bolded line from the question WHICH annotations control this behaviour.