Hello All,
First time poster here. I have a Pod that requires 2 sidecar injections, Istio for the mesh, and Vault agent to pull secrets automatically from the Hashicorp vault server. But of them are started using init containers that the mutating webhook tagged on. The Istio init creates all the iptables rules so the proxy can intercept the traffic, and the Vault init authenticates to the server with the service account token. However, since the Istio init container ran to completion first, the vault init container can never talk to the Vault server, since the iptables is already updated, and the proxy hasn’t started up yet (all init containers have to ran to completion).
Of course, these are all just my speculation, if I opt out istio injection, the vault init container will complete successfully. So please feel free to correct me if I am wrong.
That being said. Is there a way to change the triggering order for the Mutating Webhooks, so I can put istio’s last?