How to render secrets to a path without overwriting existing files there (Vault Agent Injector)
09:09 11 Feb 2026

I'm trying to deploy PgAdmin4 to Kubernetes. I have a custom config_local.py that contains an oauth2 client secret. I have the contents of config_local.py stored in Vault. Ideally, I'd have the following annotations in my spec.template.metadata.annotations:

vault.hashicorp.com/agent-inject-secret-config_local.py:  vault.hashicorp.com/secret-volume-path-config_local.py: /pgadmin4 vault.hashicorp.com/agent-inject-template-config_local.py: | {{`{{ with secret "" }}     {{ .Data.config_local }}     {{ end }}`}}

This does write my config_local.py to the /pgadmin4 directory, but it also makes it so that that is the only file that gets written to that directory, and PgAdmin4 requires a dozen or so other files in /pgadmin4. I believe those files never get created because the Agent Injector creates an emptyDir at /pgadmin4 which either overwrites existing files or prevents those files from being created.

The exact error from the above is something along the lines of ModuleNotFoundError: No module named 'config'.

So, my next attempt was to omit the vault.hashicorp.com/secret-volume-path-config_local.py annotation and use cp /vault/secrets/config_local.py /pgadmin4/config_local.py in the spec.template.spec.containers.command section, but that fails because the container is running as the pgadmin user, whereas the /pgadmin4 directory is owned by root. I don't want to change the securityContext of my container because I should not run PgAdmin as root. I also can't chown the dir.

My next attempt was to use an initContainer, which can be run as root, however, that didn't work because apparently during the image's entrypoint, the /pgadmin4 directory gets overwritten and I lose config_local.py

For the moment, I have fallen back on using native K8s secrets, but I hate this because I can't check secret values into version control, so what is my team meant to do when the secret gets deleted by accident after I get hit by a bus?

I have scoured the Internet and cannot find any information on Vault+PgAdmin4+Kubernetes, so any help is greatly appreciated.

I do acknowledge that my question is very similar to this question: Vault Agent Injector: How to render secrets to a subpath without overwriting existing files in the mount path?, I also think my question is just different and specific enough to warrant a brand new discussion.

This is a specific programming question. An extremely similar question exists on this site and is allowed to stay up. Please be kind.

kubernetes pgadmin hashicorp-vault pgadmin-4 vault