Vault Sidecar Removes Annotations from Pod #55
Description
Description
I have a custom annotation on the pod template of a deployment that utilizes the Talend Vault sidecar injector. When using the sidecar annotations to inject static secrets as environment variables, the pod loses the custom annotation.
Reproduction
Create a basic deployment with Vault sidecar injection enabled from static secrets using the environment variable (env) injection method and a custom, unrelated annotation on the pod template metadata. The unrelated annotation will not exist on the pod. Switch the sidecar.vault.talend.org/inject annotation to false and redeploy and the resultant pod will have the unrelated annotation.
Expected Behavior
I would expect unrelated annotations to be preserved on the pod.
Environment:
- Kubernetes
- cluster: EKS
- v1.20
- Vault Sidecar Injector
- version: 7.2.1
- chart version: 4.3.1
Logs of Vault Sidecar Injector pod(s)
I'm assuming this is due to the MutatingWebhook, as it seems the patch operation might be replacing all annotations from this line I found in the logs of the Vault sidecar injector:
{"op":"add","path":"/metadata/annotations","value":{"sidecar.vault.talend.org/status":"injected"}}
This type of patch operation removes all annotations and adds in just the one specified. I'd recommend changing it to one that just adds the single annotation you're interested in:
{"op":"add","path":"/metadata/annotations/sidecar.vault.talend.org~1status","value":"injected"}