I am using HashiCorp Vault's Agent Injector to inject secrets into my Kubernetes pods using the vault.hashicorp.com/secret-volume-path annotation. I am facing an issue where the rendered secrets are being output directly to the specified path, such as /app, and this causes any existing files in the /app directory to be overwritten.
Here is the part of my configuration where I define the secret path:
annotations:
vault.hashicorp.com/secret-volume-path: "/app"
However, I want to render the secrets into a subdirectory under /app, such as /app/conf, while keeping the existing files in /app intact. I have checked the official documentation, but I cannot find any reference to using subPath in this context.
My goal is to preserve the contents of the /app directory and store the rendered secrets in /app/conf (or another subpath), without overriding any existing files in /app.
Has anyone encountered this issue or found a solution to render Vault secrets into a subdirectory without overwriting the contents of the original directory? Is there any way to achieve this with Vault Agent Injector in Kubernetes?
You should be mounting the Vault Volume Directly to the Subpath where the secrets should reside (/app/conf), rather than just the parent directory (/app).
Instead of:
annotations:
vault.hashicorp.com/secret-volume-path: "/app" # This mounts the VOLUME at /app
You set it to the desired subpath:
annotations:
vault.hashicorp.com/secret-volume-path: "/app/conf" # This mounts the VOLUME at /app/conf