echo '
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  namespace: app-prod
  labels:
    app: busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
      annotations:
        vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200"
        vault.security.banzaicloud.io/vault-role: "myapp-prod"
    spec:
      serviceAccountName: myapp-prod-sa
      terminationGracePeriodSeconds: 1
      containers:
      - name: busybox
        image: busybox
        command:
        - /bin/sh
        - -c
        - |
          printenv
          sleep 999999
        env:
        - name: MYKEY
          value: vault:k8s/data/myapp/prod#mykey
' > app.yaml

kubectl -n app-prod apply -f app.yaml

k -n vault-infra logs deployments/vault-secrets-webhook

time=2025-03-16T11:07:22.530Z level=INFO msg="Admission review request handled" app=vault-secrets-webhook svc=http.Handler ns=app-prod webhook-kind=mutating wh-version=v1beta1 dry-run=false path=/pods trace-id="" name="" request-id=5ce99e64-e672-42bc-8eb9-024145fcb584 webhook-id=vault-secrets-pods op=create kind=v1/Pod duration=1.886875ms

k -n app-prod get pod app-86dd886d45-s4xnf -o yaml

- command:
    - sh
    - -c
    - cp /usr/local/bin/vault-env /vault/
    image: ghcr.io/bank-vaults/vault-env:v1.21.7
    imagePullPolicy: IfNotPresent
    name: copy-vault-env
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: false
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /vault/
      name: vault-env
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-5xchz
      readOnly: true

- emptyDir:
      medium: Memory
    name: vault-env

- args:
    - /bin/sh
    - -c
    - |
      printenv
      sleep 999999
    command:
    - /vault/vault-env
    env:
    - name: MYKEY
      value: vault:k8s/data/myapp/prod#mykey
    - name: VAULT_ADDR
      value: https://vault.vault:8200
    - name: VAULT_SKIP_VERIFY
      value: "false"
    - name: VAULT_AUTH_METHOD
      value: jwt
    - name: VAULT_PATH
      value: kubernetes
    - name: VAULT_ROLE
      value: myapp-prod
    - name: VAULT_IGNORE_MISSING_SECRETS
      value: "false"
    - name: VAULT_ENV_PASSTHROUGH
    - name: VAULT_JSON_LOG
      value: "false"
    - name: VAULT_CLIENT_TIMEOUT
      value: 10s
    - name: VAULT_LOG_LEVEL
      value: info
    - name: VAULT_TRANSIT_BATCH_SIZE
      value: "25"

err = syscall.Exec(binary, entrypointCmd, sanitized.env)

k -n app-prod exec -it app-746476f78-hksg5 -- ps aux
Defaulted container "busybox" out of: busybox, copy-vault-env (init)
PID   USER     TIME  COMMAND
    1 root      0:00 /bin/sh -c trap 'echo "SIGHUP received, reloading configur
  186 root      0:00 sleep 1

execve() executes the program referred to by pathname. This causes the program that is currently being run by the calling process to be replaced with a new program, with newly initializedstack, heap, and (initialized and uninitialized) data segments.

k -n app-prod exec -it app-746476f78-hksg5 -- cat /proc/1/environ