Vault-agent configmap created by mutating webhook is not deleted when pod is finished

[dhpizza]

Describe the issue

vault-agent configmap is not deleted when pod is gone. This becomes an issue when having hundreds of thousands of these orphaned resources in the cluster which can happen quite easily.

Expected behaviour

Configmap to be deleted when corresponding pod is deleted

Steps to reproduce

Minimal pod template with annotations to trigger the mutating webhook to create containers consul-template and vault-agent in as init containers.

after startup of mya-pod, you see a configmap created my-pod-vault-agent-config.
Now delete the pod, you see that the configmap stays deployed as an orphaned resource.

Suggestion for a fix

adding pod id as ownerReference in the configmap

like this

metadata:
   ownerReferences:
     - apiVersion: v1
        blockOwnerDeletion: true
        controller: true
       kind: Pod
       name: <pod-name>
       uid: <pod-uid>

so that the configmap is deleted when the pod is deleted.

Environment details:

Kubernetes version (e.g. v1.10.2): v1.21.11"
Cloud-provider/provisioner (e.g. AKS, GKE, EKS, PKE etc): -
bank-vaults version (e.g. 0.4.17): (webhook chart version): 1.15.11

• ghcr.io/banzaicloud/vault-secrets-webhook:1.15.3
• hashicorp/consul-template:0.27.2
• vault:1.6.2

Install method (e.g. helm or static manifests): helm chart
Logs from the misbehaving component (and any other relevant logs): see above
Resource definition (possibly in YAML format) that caused the issue, without sensitive data:

• pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    vault.security.banzaicloud.io/run-as-non-root: "false"
    vault.security.banzaicloud.io/vault-client-timeout: 120s
    vault.security.banzaicloud.io/vault-ct-configmap: my-configmap
    vault.security.banzaicloud.io/vault-ct-once: "true"
    vault.security.banzaicloud.io/vault-path: k8scl-k8slab
    vault.security.banzaicloud.io/vault-role: reference-apps
  labels:
    run: my-pod
  name: my-pod
spec:
  containers:
  - image: busybox
    imagePullPolicy: IfNotPresent
    name: my-pod

• ct-configmap.yaml

apiVersion: v1
data:
  config.hcl: |
    vault {
      vault_agent_token_file = "/vault/.vault-token"
      renew_token = true
    }
    template {
      contents = <<EOH
    {{- with secret "secret/" -}}
    {{ index .Data "blabla.keytab" | base64Decode }}
    {{- end -}}
    EOH
      destination = "/vault/secrets/blabla.keytab"
    }
kind: ConfigMap

[dhpizza]

/kind bug

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[ramizpolic]

Hi @dhpizza, could you verify if this is still relevant?

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[dhpizza]

Hi @dhpizza, could you verify if this is still relevant?

Hi @ramizpolic
yes still relevant, thanks