Hi everyone, I'm running Prefect in Kubernetes and I'm trying to make it talk to an existing vault. We use the Kubernetes agent to deploy jobs, by default the job doesn't talk to the vault. I would need to add some annotations to the job to make it work

<http://vault.security.banzaicloud.io/vault-addr|vault.security.banzaicloud.io/vault-addr>:
<http://vault.security.banzaicloud.io/vault-role|vault.security.banzaicloud.io/vault-role>:

Looking at the code of the agent the

job_spec

is hardwired and I cannot modify it. I've also checked the

KubernetesJobEnvironment

which seems like a way to go for a custom

job_spec.yaml

file. But in this case, the environment values specified in the prefect Kubernetes agent

prefect agent start kubernetes --env NAME=value

don't get passed to the custom job. They only get passed to the first Job that creates the custom job. Is there another way to have both custom annotations on Jobs and environment values passed from prefect kubernetes agent?

Hi @Lukas N. there is actually a PR open now that someone in the community made to allow shipping yaml templates with the k8s agent that could then be used for the initial prefect-job https://github.com/PrefectHQ/prefect/pull/3046 QQ: Why would the initial prefect-job need access to your vault since the flow would be running on the job created by the KubernetesJobEnvironment?

Oh nice, that PR is exactly what I need! The initial job doesn't need access to the vault. We have multiple clusters - staging and production. Each of them is running the

prefect agent start kubernetes --env NAME=...

with different environment variables. They need to be passed to the job. If I use

LocalEnvironment

, the initial job doesn't have access to the vault. If I use

KubernetesJobEnvironment

the values don't get injected into the environment of the second (actual) job.