Comments (6)
benashz
commented on August 20, 2024
1
In v1.1.0 we added support for JSON-patch via annotations. You should now be able to specify the vault-agent ImagePullPolicy from the vault.hashicorp.com/agent-json-patch annotation.
Example:
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-json-patch: '[{"op": "replace", "path": "/imagePullPolicy", "value": "IfNotPresent"}]'from vault-k8s.
jasonodonnell
commented on August 20, 2024
Hi @goffinf, this is interesting because we aren't actually setting the pull policy for the init container: https://github.com/hashicorp/vault-k8s/blob/master/agent-inject/agent/container_init_sidecar.go#L57-L70. Regardless I think this is a good option to have.
As a work around, I think you can set .Values.injector.agentImage.tag to "latest", Kube will default to "Always" in this case.
from vault-k8s.
goffinf
commented on August 20, 2024
Hey Jason,
I can confirm that using the latest tag does default the imagePullPolicy to 'Always' and thus is a reasonable workaround for now. Clearly we want to remove that when this enhancement is implemented and merged.
from vault-k8s.
prune998
commented on August 20, 2024
Even make it configurable, default to Always or allow it to be changed using an annotation.
It seems so trivial, I can PR if you want.
Thanks
from vault-k8s.
SohamJ
commented on August 20, 2024
I can confirm that using the latest tag does default the imagePullPolicy to 'Always' and thus is a reasonable workaround for now. Clearly we want to remove that when this enhancement is implemented and merged.
@jasonodonnell , one of the use-cases of not using latest was to pin specific versions to know which versions were running in each of our kubernetes clusters/environments. That way, we could easily track the updates across our SDLC process. We also had an egde case where we had to compile and build a s390x arch agent to support our zLinux k8s workloads which had specific version associated to it.
Like @prune998 mentioned, this should be a change in the helm templates. I can take a stab at it if it's not in the works (and it seems there's no design consideration on limiting the pull policy based on the above discussion)
I however am not familar with Go to contribute to the agent-inject part in this repo (will still read through if I can)
from vault-k8s.
jghal
commented on August 20, 2024
We're having a related issue. We deployed a POD annotated for secrets and I see the init and agent containers when I describe the POD, but the POD is failing on ImagePullBackOff even though the image already exists on the node.
from vault-k8s.
Related Issues (20)
- Allow configuration of the init/sidecar container names globally HOT 1
- Injected config tries to use IRSA token instead of the k8s service account token
- Webhook tries to add initContainer during UPDATE HOT 4
- Stuned deleting of a pod whose parents are job.
- vault.hashicorp.com/agent-init-first does not work with init containers coming from annotations
- Azure authentication method doesn't work with federated token
- Support for an agent-image built FROM scratch
- Auth config block can support common arguments from env and flags
- Tokens not revoked on Vault Agent Shutdown created via a Job using the /agent/v1/quit endpoint HOT 3
- Pipeline Request: Rebuild Dockerhub Image HOT 1
- Support for a securityContext.seccompProfile configuration HOT 1
- Support vault secret inject while the main pod "automountServiceAccountToken" set false HOT 1
- [controller-runtime] log.SetLogger(...) was never called; logs will not be displayed. HOT 1
- Sidecar agent does not handle manually rotated static database secret
- Inject the Agent as a native sidecar HOT 2
- Allow patching the Agent's configuration HOT 3
- vault agent export container port for scape metrics through podmonitor
- Problems encountered using consul as a storage backend
- Problems when using GCP KMS decryption
- Injected Agent config uses `token_path` instead of `path` for `jwt` auth method
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-k8s.