[Feature] Allow the vault sidecar injector to be configured to point to the vault-active service #1021
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The vault agent-injector deployment has a VAULT_ADDR that is defaulting to the service vault..svc: for the internal cluster address. See also here.
When one or more replicas of the vault server statefulset are sealed, this means that the vault agent init- and sidecar containers will be pointing to sealed vault instances and returning errors. In our mind it would make sense to configure the vault agent-injector to use the vault-active service, which is always pointing to a working instance.
If it's a conscious decision to use the vault service address and there's something we're not understanding correctly we'd also be glad to know.
Describe the solution you'd like
We'd like to have the option to configure the vault agent-injector to use the vault-active service which is always pointing to the active vault server instance.
Describe alternatives you've considered
Overriding the vault address for all workloads through pod annotations but we'd prefer to b able to set it as a default.
Additional context
N/A
The text was updated successfully, but these errors were encountered: