Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inject the Agent as a native sidecar #620

Open
busser opened this issue Apr 2, 2024 · 2 comments
Open

Inject the Agent as a native sidecar #620

busser opened this issue Apr 2, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@busser
Copy link
Contributor

busser commented Apr 2, 2024
edited
Loading

Hi 👋

Is your feature request related to a problem? Please describe.

Running the Vault Agent as a sidecar container is extremely useful. However, like with most sidecars, we quickly run into issues that require custom solutions. For example:

  • the Agent needs to run as both an init-container and a sidecar container to ensure secrets are available to the main container when it starts
  • the init-container must persist leases for the sidecar container, to avoid double-fetching secrets
  • the sidecar container must not be injected into short-lived pods like those created by Jobs

Kubernetes native sidecars aim to solve these issues for all sidecars, including the Vault Agent.

Describe the solution you'd like

I would like the Agent Injector to support injecting the Agent as a native sidecar.

Concretely, this means that the Injector should:

  • add only the init-container
  • set the init-container's restartPolicy to Always
  • configure the Agent to run forever and not fetch secrets only once
  • configure a startupProbe so that Kubernetes knows when secrets have been fetched and templates rendered at least once

Implementing the startup probe in the Agent may require further discussion. This may require adding a new endpoint to the Agent.

We could start by adding a boolean annotation that enables this behaviour on annotated pods. The annotation could be named agent-native-sidecar for instance. I think that eventually this behaviour could become the default on clusters where the native sidecars feature is enabled.

Additional context

I am more than happy to help implement this feature.
@busser busser added the enhancement New feature or request label Apr 2, 2024
@busser busser mentioned this issue Apr 2, 2024
Open
@tvoran
Copy link
Member

tvoran commented Apr 13, 2024

Thanks for raising this too! The lack of a long-lived sidecar option is precisely why we ended up adding persistent caching to Vault agent, but it would be great to remove the need for that complexity. I've been meaning to try this out for a while, but contributions welcome!

@komapa
Copy link

komapa commented Apr 18, 2024

I would like to see this functionality implemented as well now that native sidecars are beta in 1.29 and we have 1.30 already released. I can help test any implementation with real use cases.

@komapa komapa mentioned this issue Apr 18, 2024
Open
@tvoran tvoran mentioned this issue Jun 24, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@komapa @tvoran @busser