Learn the HashiCorp Enterprise Stack 
»Annotations
The following are the available annotations for the injector. These annotations are organized into two sections: agent and vault. All of the annotations below change the configurations of the Vault Agent containers injected into the pod.
»Agent Annotations
Agent annotations change the Vault Agent containers templating configuration. For example, agent annotations allow users to define what secrets they want, how to render them, optional commands to run, etc.
vault.hashicorp.com/agent-inject- configures whether injection is explicitly enabled or disabled for a pod. This should be set to atrueorfalsevalue. Defaults tofalse.vault.hashicorp.com/agent-inject-status- blocks further mutations by adding the valueinjectedto the pod after a successful mutation.vault.hashicorp.com/agent-configmap- name of the configuration map where Vault Agent configuration file and templates can be found.vault.hashicorp.com/agent-image- name of the Vault docker image to use. This value overrides the default image configured in the controller and is usually not needed. Defaults tovault:1.4.2.vault.hashicorp.com/agent-init-first- configures the pod to run the Vault Agent init container first iftrue(last iffalse). This is useful when other init containers need pre-populated secrets. This should be set to atrueorfalsevalue. Defaults tofalse.vault.hashicorp.com/agent-inject-command- configures Vault Agent to run a command after the template has been rendered. To map a command to a specific secret, use the same unique secret name:vault.hashicorp.com/agent-inject-command-SECRET-NAME. For example, if a secret annotationvault.hashicorp.com/agent-inject-secret-foobaris configured,vault.hashicorp.com/agent-inject-command-foobarwould map a command to that secret.vault.hashicorp.com/agent-inject-secret- configures Vault Agent to retrieve the secrets from Vault required by the container. The name of the secret is any unique string aftervault.hashicorp.com/agent-inject-secret-, such asvault.hashicorp.com/agent-inject-secret-foobar. The value is the path in Vault where the secret is located.vault.hashicorp.com/agent-inject-template- configures the template Vault Agent should use for rendering a secret. The name of the template is any unique string aftervault.hashicorp.com/agent-inject-template-, such asvault.hashicorp.com/agent-inject-template-foobar. This should map to the same unique value provided invault.hashicorp.com/agent-inject-secret-. If not provided, a default generic template is used.vault.hashicorp.com/agent-inject-token- configures Vault Agent to share the Vault token with other containers in the pod. This is helpful when other containers communicate directly with Vault but require auto-authentication provided by Vault Agent. This should be set to atrueorfalsevalue. Defaults tofalse.vault.hashicorp.com/agent-limits-cpu- configures the CPU limits on the Vault Agent containers. Defaults to500m.vault.hashicorp.com/agent-limits-mem- configures the memory limits on the Vault Agent containers. Defaults to128Mi.vault.hashicorp.com/agent-requests-cpu- configures the CPU requests on the Vault Agent containers. Defaults to250m.vault.hashicorp.com/agent-requests-mem- configures the memory requests on the Vault Agent containers. Defaults to64Mi.vault.hashicorp.com/agent-revoke-on-shutdown- configures whether the sidecar will revoke it's own token before shutting down. This setting will only be applied to the Vault Agent sidecar container. This should be set to atrueorfalsevalue. Defaults tofalse.vault.hashicorp.com/agent-revoke-grace- configures the grace period, in seconds, for revoking it's own token before shutting down. This setting will only be applied to the Vault Agent sidecar container. Defaults to5s.vault.hashicorp.com/agent-pre-populate- configures whether an init container is included to pre-populate the shared memory volume with secrets prior to the containers starting.vault.hashicorp.com/agent-pre-populate-only- configures whether an init container is the only injected container. If true, no sidecar container will be injected at runtime of the pod.vault.hashicorp.com/preserve-secret-case- configures Vault Agent to preserve the secret name case when creating the secret files. This should be set to atrueorfalsevalue. Defaults tofalse.vault.hashicorp.com/secret-volume-path- configures where on the filesystem a secret will be rendered. To map a path to a specific secret, use the same unique secret name:vault.hashicorp.com/secret-volume-path-SECRET-NAME. For example, if a secret annotationvault.hashicorp.com/agent-inject-secret-foobaris configured,vault.hashicorp.com/secret-volume-path-foobarwould configure where that secret is rendered. If no secret name is provided, this sets the default for all rendered secrets in the pod.vault.hashicorp.com/agent-run-as-user- sets the user (uid) to run Vault agent as. Also available as a command-line option (-run-as-user) or environment variable (AGENT_INJECT_RUN_AS_USER) for the injector. Defaults to 100.vault.hashicorp.com/agent-run-as-group- sets the group (gid) to run Vault agent as. Also available as a command-line option (-run-as-group) or environment variable (AGENT_INJECT_RUN_AS_GROUP) for the injector. Defaults to 1000.vault.hashicorp.com/agent-set-security-context- controls whetherSecurityContextis set in injected containers. Also available as a command-line option (-set-security-context) or environment variable (AGENT_INJECT_SET_SECURITY_CONTEXT). Defaults totrue.vault.hashicorp.com/agent-run-as-same-user- run the injected Vault agent containers as the User (uid) of the first application container in the pod. RequiresSpec.Containers[0].SecurityContext.RunAsUserto be set in the pod spec. Also available as a command-line option (-run-as-same-user) or environment variable (AGENT_INJECT_RUN_AS_SAME_USER). Defaults tofalse.Note: If the first application container in the pod is running as root (uid 0), the
run-as-same-userannotation will fail injection with an error.
»Vault Annotations
Vault annotations change how the Vault Agent containers communicate with Vault. For example, Vault's address, TLS certificates to use, client parameters such as timeouts, etc.
vault.hashicorp.com/auth-path- configures the auth path for the Kubernetes auth method. Defaults tokubernetes.vault.hashicorp.com/ca-cert- path of the CA certificate used to verify Vault's TLS.vault.hashicorp.com/ca-key- path of the CA public key used to verify Vault's TLS.vault.hashicorp.com/client-cert- path of the client certificate used when communicating with Vault via mTLS.vault.hashicorp.com/client-key- path of the client public key used when communicating with Vault via mTLS.vault.hashicorp.com/client-max-retries- configures number of Vault Agent retry attempts when 5xx errors are encountered. Defaults to 2.vault.hashicorp.com/client-timeout- configures the request timeout threshold, in seconds, of the Vault Agent when communicating with Vault. Defaults to60sand accepts value types of60,60sor1m.vault.hashicorp.com/log-level- configures the verbosity of the Vault Agent log level. Default isinfo.vault.hashicorp.com/namespace- configures the Vault Enterprise namespace to be used when requesting secrets from Vault.vault.hashicorp.com/role- configures the Vault role used by the Vault Agent auto-auth method. Required whenvault.hashicorp.com/agent-configmapis not set.vault.hashicorp.com/service- name of the Vault service to use. This value overrides the default service configured in the controller and is usually not needed.vault.hashicorp.com/tls-secret- name of the Kubernetes secret containing TLS Client and CA certificates and keys. This is mounted to/vault/tls.vault.hashicorp.com/tls-server-name- name of the Vault server to verify the authenticity of the server when communicating with Vault over TLS.vault.hashicorp.com/tls-skip-verify- if true, configures the Vault Agent to skip verification of Vault's TLS certificate. It's not recommended to set this value to true in a production environment.