The mutating webhook adds the following PodSpec, Secret, ConfigMap, and CRD annotations.

Annotation default Explanation "https://vault:8200" Same as VAULT_ADDR "vault:latest" Vault agent image IfNotPresent the Pull policy for the vault agent container "" The Vault role for Vault agent to use, for Pods it is the name of the ServiceAccount if not specified "kubernetes" The mount path of the auth method "false" Same as VAULT_SKIP_VERIFY "" Name of the Kubernetes Secret holding the CA certificate for Vault "false" When enabled will only log warnings when Vault secrets are missing "" Comma separated list of VAULT_* related environment variables to pass through to vault-env to the main process. E.g. VAULT_ADDR,VAULT_ROLE. "false" Run vault-env as a daemon instead of replacing itself with the main process. For details, see /docs/bank-vaults/mutating-webhook/deploy/#daemon-mode. "banzaicloud/vault-env:latest" vault-env image IfNotPresent the Pull policy for the vault-env container "false" Mutate the annotated ConfigMap as well (only Secrets and Pods are mutated by default) "false" Log in JSON format in vault-env "" Defines the mutation of the given resource, possible values: "skip" which prevents it. "" Comma-delimited list of vault paths to pull in all secrets as environment variables "" {volume:file} to be injected as .vault-token. "kubernetes" The Vault authentication method to be used, one of ["kubernetes", "aws-ec2", "gcp-gce", "jwt"] "" The ServiceAccount in the objects namespace to use, useful for non-pod resources "" The Vault Namespace secrets will be pulled from. This annotation sets the VAULT_NAMESPACE environment variable. More information on namespaces within Vault can be found here