Consul-template not returning Vault kv secrets with future deletion_time set.

[marknl]

Description

When a secret in Vault has a deletion_time set, consul-template will not fetch it anymore. This is good for date/time entries that are in the past, but you can also set future date/time values of which I think should still be accessible.

Consul Template version

Using the consul-template implementation built into Nomad 1.5.6. I'm not really sure which version of consul-template is baked into nomad 1.5.6

Configuration

template {
  data = <<EOD
  {{ with secret "secret/data/email" }}{{ .Data.data.address }}{{ end }}
  EOD
  destination = "email.txt"
}            

Expected behavior

I'm expecting the value of the Vault secret email (which is an email address) to be saved into the file email.txt.

Actual behavior

Nomad throws an error when trying to start the job, saying it cannot find the secret.

Steps to reproduce

1. vault server -dev
2. vault kv metadata put -mount=secret -delete-version-after=1h email
3. vault kv put -mount=secret email [email protected]
4. Create a consul-template template that will fetch the secret from Vault and save it to a file.
5. Run the consul-template template.
6. consul-template will not find the secret because deletion_time is not empty.

References

The code that causes this is: https://github.com/hashicorp/consul-template/blame/main/dependency/vault_read.go#L178

I've opened up a discuss thread on the Hashicorp forums a few days ago, but I get the feeling this is a bug, not a feature ;-)
https://discuss.hashicorp.com/t/consul-template-not-returning-vault-kv-items-with-deletion-time-set/55763