Vault-provider does not allow root user rotation

[makeitokay]

I use SecretBackendConnection to create connections to my PostgreSQL database. I specify passwordSecretRef to set the root user password.

passwordSecretRef:
  key: password
  name: vault-init-password
  namespace: database

With the same password, I create a root user in my database. I have a CronJob that, with a frequency of 1 hour, calls the root user rotation via the Vault API. Therefore, every hour the password of the root user inside the Vault and inside my database changes.

However, I encountered unexpected behavior: if the vault-provider deployment is restarted (or the container inside the pod is restarted), then all the connections managed by the provider will be updated, including the root password of the user inside the Vault. It will not change inside the database, and as a result, this will lead to a mismatch of passwords, Vault can no longer generate dynamic credentials.

Thus, it turns out that the rotation of the root user is not expected by the vault-provider. Can you tell me if this behavior is expected? Is it possible to make passwordSecretRef used only when creating a connection, but not updating it?

[makeitokay]

The current solution is to take away the permission to update connections

path "databases/config/*" {
   capabilities = ["list", "read", "create", "delete"]
}
path "databases/roles/*" {
   capabilities = ["list", "read", "create", "update", "delete"]
}

Restarting the vault-provider no longer resets the root's password. However, I would like to find a more elegant solution, since it is currently impossible to make changes to connections via Helm.