I am trying to use a vault agent sidecar where I am injecting a secret into my kubernetes pod at the location /vault/secrets/.... I then use a spring.config.import property to pull in that file for my application.

I have a @RefreshScope annotated component that is logging the secret information for debugging purposes, which I have compared to the secret information that is mounted to the container. The logged information does not change from initial startup, while the secret file content does.

I am also using a config map with kubernetes which is the reason for needing this dependency.

I am using a spring boot parent on version 2.7.18 along with

                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.8</version>

to manage my spring cloud version

Here is my bootstrap.properties file:

spring.config.activate.on-profile=kubernetes
spring.cloud.kubernetes.enabled=true
spring.cloud.kubernetes.discovery.enabled=false
spring.cloud.kubernetes.reload.enabled=false
spring.cloud.kubernetes.config.enabled=true
spring.cloud.kubernetes.secrets.enabled=true
spring.cloud.kubernetes.secrets.paths=/vault/secrets
spring.cloud.kubernetes.config.name=app

Here is how I am integrating my vault sidecar (with some stuff swapped to hide context):

            vault.hashicorp.com/agent-inject: "true" # this deployment will need secrets from Vault
            vault.hashicorp.com/role: namespace-app # auth role to log in to Vault
            vault.hashicorp.com/agent-inject-secret-azure-app: azure/creds/namespace-app # path to a secret
            vault.hashicorp.com/agent-inject-template-azure-app: | # template for the secret in environment file format 
              {{- with secret "azure/creds/namespace-app" -}}
              {{ range $k, $v := .Data }}
              azure.{{ $k }}={{ $v }}
              {{ end }}
              {{- end }}
            vault.hashicorp.com/agent-inject-containers: "${{APP_NAME}}"
            vault.hashicorp.com/agent-inject-command-azure-app: |
              curl -s --request POST http://127.0.0.1:8081/actuator/refresh
            vault.hashicorp.com/agent-revoke-on-shutdown: "true"

The config map works and has for a while. The sidecar itself works and injects/updates the credentials in the file when necessary. What isn’t working is the spring application itself updating the properties and thus causing issues.

I have tried using the secrets functionality of the kubernetes starter with no additional luck.

Additionally, I have tried running the app locally if I swap out spring-cloud-starter-kubernetes-fabric8-config for spring-cloud-starter and hit my actuator refresh endpoint I can see those credentials refresh both on the /actuator/refresh endpoint and in the application debug logs. However with the integration of the kubernetes starter it stops working. Locally I pulled all properties into my application.properties to reduce spots of failure.