Install Vault Agent Injector via the HashiCorp Vault Helm chart with `injector.enabled=true`; configure it to point to your Vault address
Enable Kubernetes authentication in Vault and create a role binding your pod's ServiceAccount and namespace to a Vault policy
Annotate your pod template with `vault.hashicorp.com/agent-inject: 'true'`, `vault.hashicorp.com/role: YOUR_ROLE`, and one `vault.hashicorp.com/agent-inject-secret-<filename>` annotation per secret path
Optionally use a template annotation to control the rendered file format (e.g., export KEY=value shell syntax or JSON) inside the injected secret file
Deploy the workload — the mutating webhook injects an init container that logs in to Vault, fetches secrets, and writes them to a shared in-memory volume before the app container starts
For long-running pods, the sidecar agent container continues running to renew leases and refresh rotating secrets without restarting the app
Known gotchas
Secrets are written to a shared `tmpfs` volume — they are not persisted to disk or visible in environment variables unless your application reads the rendered file explicitly
If the Vault address is unreachable during pod startup, the init container will fail and the pod will not start — ensure network policies permit egress from all namespaces to Vault
The injector mutating webhook must be reachable from the Kubernetes API server; webhook failures (network or cert issues) will block all pod scheduling if `failurePolicy: Fail` is set
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp