Revoking leases on Vault Agent Shutdown

Trying to understand how to revoke a dynamic database role lease created from a sidecar vault-agent on its shutdown. I have added the annotation 'true' and I can see the agent shutdown, but it is not revoking the leases it is getting as follows 'database/creds/dba' |
          {{- with secret "database/creds/dba" -}}
          password: {{ .Data.password }}
          username: {{ .Data.username }}
          {{- end }}

Reading the docs it says it will revoke only the token used by the agent, is that the correct understanding that I cannot revoke leases on agent shutdown?


Google Bard seems to think it revoked it own token and any leases it has.

2. Kubernetes annotations:

  • If using Vault Agent in Kubernetes, utilize the annotation 'true' .
  • This instructs the Vault Agent Injector to automatically revoke the token and associated leases when the pod shuts down.
  • Note: This relies on the Vault Agent Injector and requires specific Kubernetes versions.

However I am not seeing that happen.