[FEATURE REQUEST] Cache and manage Vault leases

[lkubb]

Is your feature request related to a problem? Please describe.
Vault secret backends other than KV typically issue dynamic secrets bound to leases, which are valid for a certain amount of time, for example database credentials or X.509 certificates. If one manages configuration using those secrets, there is currently no easy inbuilt way to

a) avoid requesting a new secret during every template rendering run
b) renew existing leases.

Describe the solution you'd like
Introduce a lease store utility than can be used by secret backend-specific modules to cache leases and manage their renewal. It should consider the currently active token, since leases are bound to it.

Note that this is a feature request for a utility to be used by future modules, not sure if that's a thing. vault.read_secret/vault.write_secret/... essentially just do GET/POST/... requests to the Vault server, but are written with the KV backend in mind, which does not issue leases.

Describe alternatives you've considered
Since this is part of a large Vault integration overhaul, none in detail.

• Easy: Don't care that superfluous secrets are hanging around and states are not idempotent.
• Afaik, this should theoretically work with vault.read_secret/vault.write_secret, so there is probably some Jinja that could manage the cache. Both would not be bound to the active token though, so would need to check the validity on the remote server every time or risk failure. Essentially, it would require implementing this feature in Jinja or a custom execution module.