running the following:
vault v1.9.3
csi-secrets-store/driver:v1.2.4
vault-csi-provider:1.2.0
secrets engine (mysql-role) ttl is 14days and max ttl is 30 days
on the auth-method the role has ttl set to 14 days with max ttl 30 days
the csi-driver settings
requiresRepublish: true
storageCapacity: false
tokenRequests:
- audience: vault
expirationSeconds: 3600
volumeLifecycleModes:
- Ephemeral
on the secrets-store-csi-driver the --rotation-poll-interval=10080m
and I’m using the reloader app.
everything works great but after a few hours vault revokes the token and then removes the mysql user from the db, the secret stays in tact and doesn’t change but the service loses its’ connection as it now has an expired credential.
restarting the the pod keeps the same credential and doesn’t work so the only option is to delete the secret and cycle the pods which creates fresh credentials that will seemingly stay on for a random few hours before it gets revoked again.
Please help