From db2f4c9fbb25dd771cafee275a6a457d0f438161 Mon Sep 17 00:00:00 2001
From: Mark McGarry <mark.mcgarry@rvu.co.uk>
Date: Wed, 16 Jul 2025 15:57:04 +0100
Subject: [PATCH] Skip pod mutation if vault agent inject annotation present

---
 webhook.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/webhook.go b/webhook.go
index eac5e6d..b795470 100644
--- a/webhook.go
+++ b/webhook.go
@@ -120,6 +120,14 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR
 		ownerKind = pod.ObjectMeta.OwnerReferences[0].Kind
 		ownerName = pod.ObjectMeta.OwnerReferences[0].Name
 	}
+
+	if pod.ObjectMeta.Annotations["vault.hashicorp.com/agent-inject"] == "true" {
+		log.Infof("Skipping mutation for %s/%s, vault agent-inject annotation found", req.Namespace, ownerName)
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+		}
+	}
+
 	log.Infof("AdmissionReview for Kind=%v, Namespace=%v Name=%v UID=%v patchOperation=%v UserInfo=%v",
 		ownerKind, req.Namespace, ownerName, req.UID, req.Operation, req.UserInfo)