We are using a combination of Vault, Dynamic Credentials, Postgres, Vault Agent and Kubernetes. We have a Database Connection and Role, we inject these dynamic credentials with the Vault Agent in our application and from our application we create some tables in a Postgres database with the injected user and password.
On the creation statement we attach the current user to a Postgres role. On the revocation statement we put a reassign owned by the current user to that Postgres role, so when the application pod is killed (agent-revoke-on-shutdown is set to true) the tables owner is changed and the new pod that will come with another user would be able to update those tables. It works as expected.
Our problem comes when having multiple pods for our application because the database is created with the user from the first pod, but on a RollingUpdate that first pod is not killed before creating new pods, so the revocation statement is not called, so the tables owner is not changed, so the new pod does not have permissions to update the tables.
Is there some way for us to achieve this? Maybe adding something in the creation statement to allow updates for tables that were created by a previous user?