Kubernetes mssql dynamic credentials is creating 2 logins every time

Good morning,
I’m facing a strange issue. when requesting database credencials to the vault, vault ist creating 2 credencials.
My setup is the following:

I have a kubernetes cluster with 1 worker node receiving containers on version

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.8", GitCommit:"5575935422cc1cf5169dfc8847cb587aa47bac5a", GitTreeState:"clean", BuildDate:"2021-06-16T13:00:45Z", GoVersion:"go1.15.13", Compiler:"gc
", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.5", GitCommit:"6b1d87acf3c8253c123756b9e61dac642678305f", GitTreeState:"clean", BuildDate:"2021-03-18T01:02:01Z", GoVersion:"go1.15.8", Compiler:"gc"
, Platform:"linux/amd64"}

I have a 3 node Consul cluster with the following configuration:

datacenter = "DEV"
data_dir = "/opt/consul"
encrypt = "key"
ca_file = "/etc/consul.d/xxx.pem"
cert_file = "/etc/consul.d/xxx.pem"
key_file = "/etc/consul.d/xxx.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
retry_join = ["machne1", "machne2", "machne3"]
acl = {
  enabled = true
  default_policy = "allow"
  enable_token_persistence = true
performance {
  raft_multiplier = 1

I have a vault with the following configuration:

listener "tcp" {
  address       = ""
  tls_disable = "false"
  tls_cert_file = "/etc/ssl/certs/xxxx.pem"
  tls_key_file  = "/etc/ssl/certs/xxxx.pem"

storage "consul" {
  address = ""
  path = "vault/"
  token = "xxxxxxxxxx"

api_addr = "https://someaddress.dev"
ui = true

telemetry {
  prometheus_retention_time = "24h"
  disable_hostname = true
  unauthenticated_metrics_access = true

I setup the vault with kubernetes following this docs:

Then i setup the database secrets with the following commands:

vault write database/config/sqlserver \
    plugin_name=mssql-database-plugin \
    connection_url='sqlserver://{{username}}:{{password}}@ip:port' \
    allowed_roles="*" \
    username="user" \

vault write database/roles/test-db db_name=sqlserver \
creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; Use test; GO; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; GO; ALTER ROLE [db_owner] ADD MEMBER [{{name}}]" \
revocation_statements="DROP USER IF EXISTS [{{name}}]; DROP LOGIN [{{name}}]" \
default_ttl="1h" \

I created a vault policy and bound that to kubernetes app service account and vault

vault write auth/kubernetes/role/some-api \
bound_service_account_names=some-api \
bound_service_account_namespaces=default \
policies=some-api \
ttl=1h \

Connection between vault and kubernetes is working fine, the vault token is injected, other secrets are injected.
The database credencials creates 2 database logins, it injects the file with the first user and password, and then replace the credencials on the file with the second ones.

I find this, because when my app start i have a command that reads the files to environment variables, and at that point the environment variable will be set with the first credencials, but vault agent shortly after creates a second credenials and only refresh that ones. Because of that the first credencials are deleted from sqlserver after ttl has expire and the app stop working.

My kubernetes deployment annotations are the following:

vault.hashicorp.com/log-level: "trace"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "some-api"
vault.hashicorp.com/agent-revoke-on-shutdown: "true"

# Secrets
  vault.hashicorp.com/agent-inject-secret-config: 'secret/data/some-api'
# Environment variable export template
vault.hashicorp.com/agent-inject-template-config: |
    {{ with secret "secret/data/some-api" -}}
      export KEY="{{ .Data.data.key }}"
    {{- end }}

  # Database Credencials
  vault.hashicorp.com/agent-inject-secret-testdb: 'database/creds/test-db'
  # Environment variable export template
  vault.hashicorp.com/agent-inject-template-testdb: |
   {{- with secret "database/creds/test-db" -}}
     export DBUSER="{{ .Data.username }}"
     export DBPASSWORD="{{ .Data.password }}"
   {{- end }}

The script that reads the credencials to environment variables:
But even if i don’t read to environment variable the problem occurs.

command: ["/bin/sh"]
args: ["-c", "for f in /vault/secrets/*; do . $f; done && {{ .Values.command }}"]

I’m using helm to deploy the app.

Anybody have the same problem, or is this a bug?

Thanks for the help