For it to inject the OAuth2-Proxy sidecar, the label security.plural.sh/inject-oauth-sidecar: "true" and the annotation security.plural.sh/oauth-env-secret: <some_secret_name> need to be present on the pod. The secret from the annotation is used in the envFrom field of the OAuth2-Proxy container to configure OAuth2-Proxy.