VAULT-24267 Code change for unsync secrets immediately when a mount is deleted or disabled (#11578) (#11674)

Co-authored-by: ankitsutharhashicorp <ankitkumar.suthar@hashicorp.com>
2026-02-03 20:40:45 -05:00 · 2026-01-16 21:45:27 -07:00 · 2026-01-16 21:45:27 -07:00 · 539e30c4cd
commit 539e30c4cd
parent 48dbd17974
3 changed files with 15 additions and 0 deletions
--- a/changelog/_11578.txt
+++ b/changelog/_11578.txt
@ -0,0 +1,6 @@
+```release-note:improvement
+secrets-sync (enterprise): Improved the user experience during mount lifecycle changes by triggering immediate
+unsyncing of external secrets when a secrets engine mount is deleted or disabled. By moving this logic from
+the background reconciliation loop to a direct callback, the system prevents perceived "leaks" and ensures external
+secret resources are cleaned up synchronously with the Vault unmount.
+```
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -1792,6 +1792,11 @@ func (b *SystemBackend) handleUnmount(ctx context.Context, req *logical.Request,
 		return handleError(fmt.Errorf("unable to find storage for path: %q", path))
 	}

+	// Unsync secrets during mount deletion
+	if err := b.callUnsyncMountHelper(ctx, path); err != nil {
+		b.Backend.Logger().Error("failed to unsync secrets during mount deletion", "error", err)
+	}
+
 	// Attempt unmount
 	if err := b.Core.unmountWithRequest(ctx, path, req); err != nil {
 		b.Backend.Logger().Error("unmount failed", "path", path, "error", err)
--- a/vault/logical_system_stubs_oss.go
+++ b/vault/logical_system_stubs_oss.go
@ -116,3 +116,7 @@ func (b *SystemBackend) mountInfo(ctx context.Context, entry *MountEntry, legacy

 	return info
 }
+
+func (b *SystemBackend) callUnsyncMountHelper(ctx context.Context, path string) error {
+	return nil
+}