Let's say you have an application running on OpenShift and you want to fetch the value of a secret from Hashicorp Vault. Assuming you are using a deployment.yaml for the creation of the pod, you will add the following annotations.

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: my-role
        vault.hashicorp.com/agent-inject-secret-foo-bar: foo/bar

This should create a vault-agent-init container that, as the name suggests, initializes Hashicorp Vault.

]$ oc logs pod/my-pod-abcde --container vault-agent-init
==> Vault Agent started! Log data will stream in below:

==> Vault Agent configuration:

           Api Address 1: http://bufconn
                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.17.1, built 2024-06-25T16:33:25Z
             Version Sha: b8ab595639e7473eb153571521bbaf522cdafb27

2025-01-14T11:58:52.166Z [INFO]  agent.sink.file: creating file sink
2025-01-14T11:58:52.166Z [INFO]  agent.sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
2025-01-14T11:58:52.166Z [INFO]  agent.exec.server: starting exec server
2025-01-14T11:58:52.166Z [INFO]  agent.exec.server: no env templates or exec config, exiting
2025-01-14T11:58:52.166Z [INFO]  agent.sink.server: starting sink server
2025-01-14T11:58:52.166Z [INFO]  agent.template.server: starting template server
2025-01-14T11:58:52.166Z [INFO]  agent.auth.handler: starting auth handler
2025-01-14T11:58:52.166Z [INFO]  agent.auth.handler: authenticating
2025-01-14T11:58:52.166Z [INFO]  agent: (runner) creating new runner (dry: false, once: false)
2025-01-14T11:58:52.167Z [INFO]  agent: (runner) creating watcher