From 539e30c4cdbbe6abfcc5aa2ee6893b279200cc1b Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Fri, 16 Jan 2026 21:45:27 -0700 Subject: [PATCH] VAULT-24267 Code change for unsync secrets immediately when a mount is deleted or disabled (#11578) (#11674) Co-authored-by: ankitsutharhashicorp --- changelog/_11578.txt | 6 ++++++ vault/logical_system.go | 5 +++++ vault/logical_system_stubs_oss.go | 4 ++++ 3 files changed, 15 insertions(+) create mode 100644 changelog/_11578.txt diff --git a/changelog/_11578.txt b/changelog/_11578.txt new file mode 100644 index 0000000000..cb55d89b04 --- /dev/null +++ b/changelog/_11578.txt @@ -0,0 +1,6 @@ +```release-note:improvement +secrets-sync (enterprise): Improved the user experience during mount lifecycle changes by triggering immediate +unsyncing of external secrets when a secrets engine mount is deleted or disabled. By moving this logic from +the background reconciliation loop to a direct callback, the system prevents perceived "leaks" and ensures external +secret resources are cleaned up synchronously with the Vault unmount. +``` \ No newline at end of file diff --git a/vault/logical_system.go b/vault/logical_system.go index 0d6be25798..b75e42dc5d 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1792,6 +1792,11 @@ func (b *SystemBackend) handleUnmount(ctx context.Context, req *logical.Request, return handleError(fmt.Errorf("unable to find storage for path: %q", path)) } + // Unsync secrets during mount deletion + if err := b.callUnsyncMountHelper(ctx, path); err != nil { + b.Backend.Logger().Error("failed to unsync secrets during mount deletion", "error", err) + } + // Attempt unmount if err := b.Core.unmountWithRequest(ctx, path, req); err != nil { b.Backend.Logger().Error("unmount failed", "path", path, "error", err) diff --git a/vault/logical_system_stubs_oss.go b/vault/logical_system_stubs_oss.go index e840449d33..900816c092 100644 --- a/vault/logical_system_stubs_oss.go +++ b/vault/logical_system_stubs_oss.go @@ -116,3 +116,7 @@ func (b *SystemBackend) mountInfo(ctx context.Context, entry *MountEntry, legacy return info } + +func (b *SystemBackend) callUnsyncMountHelper(ctx context.Context, path string) error { + return nil +}