Revoking leases on Vault Agent Shutdown

nirving · February 9, 2024, 3:02am

Trying to understand how to revoke a dynamic database role lease created from a sidecar vault-agent on its shutdown. I have added the annotation vault.hashicorp.com/agent-revoke-on-shutdown: 'true' and I can see the agent shutdown, but it is not revoking the leases it is getting as follows

        vault.hashicorp.com/agent-inject-secret-liquibase.properties: 'database/creds/dba'
        vault.hashicorp.com/agent-inject-template-liquibase.properties: |
          {{- with secret "database/creds/dba" -}}
          password: {{ .Data.password }}
          username: {{ .Data.username }}
          {{- end }}

Reading the docs it says it will revoke only the token used by the agent, is that the correct understanding that I cannot revoke leases on agent shutdown?

Nicholas

darkedges · February 9, 2024, 9:16am

Google Bard seems to think it revoked it own token and any leases it has.

2. Kubernetes annotations:

If using Vault Agent in Kubernetes, utilize the annotation vault.hashicorp.com/agent-revoke-on-shutdown: 'true' .
This instructs the Vault Agent Injector to automatically revoke the token and associated leases when the pod shuts down.
Note: This relies on the Vault Agent Injector and requires specific Kubernetes versions.

However I am not seeing that happen.