Vault Agent Template not triggered after rotate-role

I’m successfully using the OpenLDAP Secrets Engine together with a Vault Agent to render a template on a host that references a Static Role. The Static Role has a rotation period and the Vault Agent automatically updates the template when the TTL expires.

However, when I manually rotate the password, the credentials are updated in OpenLDAP but the Vault Agent does not automatically update the template.

  1. Is this a defect or expected behaviour?
  2. It it possible to manually tell the agent to re-render the templates?

Per the docs, does not seem like there is any exception for a manually rotated secret. It is about TTL and renewal. For agent to know something was manually rotated, it’d have to poll or an event to be fired to alert it… which does not exist today.