feat: new annotation - mutateContainers (choose containers for mutating)

[antonaleks]

Changes

This PR introduces a new annotation:

vault.security.banzaicloud.io/mutate-containers

which allows users to explicitly define which containers inside a Pod should be mutated by the vault-secrets-webhook.

Prior to this change, the webhook injected vault-env into all containers and initContainers when vault-env-from-path annotation was present.
This behavior caused issues in workloads where only a subset of containers should receive Vault secrets, while others (e.g., sidecars, system init containers, Argo "wait" containers, etc.) must not be wrapped.

The new annotation accepts a comma-separated list of container names and limits mutation only to containers listed there.
If the annotation is omitted, the webhook continues to mutate all containers, maintaining backward compatibility.

Motivation

Many real-world Kubernetes workloads include containers that must not be wrapped with vault-env, such as:

system init containers performing filesystem operations,

logging, metrics, or service mesh sidecars,

Argo Workflows "wait" or "main" containers with strict command/entrypoint assumptions.

Injecting vault-env into these containers may break workloads or cause unexpected failures.

This feature provides fine-grained control by allowing users to specify exactly which containers require Vault secret injection.

Example:

annotations:
  vault.security.banzaicloud.io/vault-env-from-path: "secret/data/app"
  vault.security.banzaicloud.io/mutate-containers: "app,worker"

Only the app and worker containers will be mutated, while all others remain untouched.

This provides safer, more predictable webhook behavior in complex Pod specifications and avoids relying on excluding mutation via external admission controllers (e.g., Kyverno).

[csatib02]

Hey @antonaleks,

This would include a breaking change that we really don't wan to have, as the mutation operation was the exact opposite before, also mutation can already be skipped if the vault.security.banzaicloud.io/mutate is set to skip.

[antonaleks]

Hey @csatib02
vault.security.banzaicloud.io/mutate will skip mutation on all pod?
If i have pod with 3-4 side or init containers, how i can skip mutation only for these? and mutate my main container?

[csatib02]

Well the webhook is pod scoped, and mutation considers pods for mutation if they don't have a vault-env init-container.
So it would be a hard change to implement that.

[github-actions]

Thank you for your contribution! This PR has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this pull request is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.