I’d like to know the idea behind it. A secret can still be available at the time it’s being queried by consul-template, why not return it then?
@eikenb You added this code 4 years ago, do you still know why you’re not comparing the actual date with the deletion_time date? I’m very curious as to why this was done.
deletion_time records when the secret was deleted in the past. It doesn’t schedule a deletion for the future. Thus, if it’s set, the deletion has already happened.
Your statement is not really true. In the Vault UI, when you go to a secret and click on the “Meta data” tab, then “Edit metadata”, you can enable “Automate secret deletion” and set a time frame. Save this, it will show “Delete version after” being set to that time frame.
Now every new version of the secret will have the metadata field deletion_time set to a date and time in the future that matches with the time frame specified by you earlier.
So I can set it to say 10 days, and it will auto delete that version in 10 days, but within those 10 days, consul-template will not return the value of that secret anymore. If I then disable “Automatic secret deletion” and create a new version of the secret, consul-template will fetch the secret again.
Ah, no problem! It’s impossible to know everything
Hence I pinged @eikenb in my first message, since he made that part of the code and I was wondering if my “bug” was a feature, or something that was overlooked or has been changed over the course of the 4 years that this code was added My best guess is that Vault has added the DeleteVersionAfter time.Duration in a version after the code was added in consul-template.
… digging …
About a year ago it was added to the API. But the “delete version after” has been in the code for about 4 years.
