Introduction:
The vault agent uses templating functions to render secrets/certificates effectively. There are two common consul templates that are used within the vault agent (secret and PKI cert). PKI cert is commonly used for rendering PKI generated certs whereas secret template is commonly used for rendering static secrets. As per its design, the agent does not track certificate revocation status and thus, a manual intervention might be required in case of a certificate revocation scenario.
Scenario:
- With the usage of the pkiCert template in the agent's template config :
With the pkiCert template, the vault agent queries the Vault for a PKI certificate from a PKI secret engine. If and when a certificate is revoked, the agent is unaware of such an event and will not make any new rendering upon revocation of the certificate present in the destination cache.
Workaround:
In case of a certificate's compromise event, the destination cache should be cleaned followed by agent restart to enforce a new rendering by template.
- With the usage of a secret template in the agent's template config :
With the usage of a secret template, the Agent queries the Vault for a secret at the given path (which can be of PKI secret engine). If and when a certificate is revoked, the agent is unaware of such an event and will not make any new rendering upon revocation of the certificate present in the destination cache.
In case of a secret compromise event, the Vault agent should be restarted in order to enforce a new rendering by template.