Unable to return specific versions of a secret path in kv v2 in template, seems to only return latest version

caleyg · March 2, 2020, 5:36pm

also posted here: https://github.com/hashicorp/consul-template/issues/1350 only because I’m not sure if this is user error or something else?

Consul Template version

consul-template v0.24.1 (58aa6c6)

Vault version

vault 0.10.4

Configuration

{"vault": [{"ssl": [{"verify": true}]}, {"renew_token": true}], "consul": {"ssl": [{"verify": true}]}, "log_level": "debug", "exec": {"env": [{"custom": "PATH=$PATH:$PWD"}]}}

Raw Template

{{ $service_name := `foo` }}
{{ $stack_name :=  `bar` }}
{{ $vault_path := ( print "secret_v2/" $stack_name "/" $service_name ) }}
secret4_latest: {{ with secret ( print $vault_path "/secret4" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v1: {{ with secret ( print $vault_path "/secret4?version=" 1 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v2: {{ with secret ( print $vault_path "/secret4?version=" 2 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v3: {{ with secret ( print $vault_path "/secret4?version=" 3 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v4: {{ with secret ( print $vault_path "/secret4?version=" 4 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_latest: {{ with secret ( print $vault_path "/secret5" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v1: {{ with secret ( print $vault_path "/secret5" "?version=1" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v2: {{ with secret ( print $vault_path "/secret5" "?version=2" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v3: {{ with secret ( print $vault_path "/secret5" "?version=3" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v4: {{ with secret ( print $vault_path "/secret5" "?version=4" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}

Rendered template

secret4_latest:   somesecret4value_version3
secret4_v1:   somesecret4value_version3
secret4_v2:   somesecret4value_version3
secret4_v3:   somesecret4value_version3
secret4_v4:   somesecret4value_version3
secret5_latest:   somesecret5value_version3
secret5_v1:   somesecret5value_version3
secret5_v2:   somesecret5value_version3
secret5_v3:   somesecret5value_version3
secret5_v4:   somesecret5value_version3

Actual versioned vault secrets

// latest version of secrets (zero)
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5
{"request_id":"e6d6e182-5c0e-11ea-8b5d-6771cd7e39d5","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4
{"request_id":"85d3a420-74ac-41de-357b-ea4a6306a690","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=0
{"request_id":"0de681f1-eb2f-5b8f-cc93-ee19ee2ba246","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=0
{"request_id":"f7a6afc4-5c0e-11ea-9664-a7309391da25","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}


curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=0
{"request_id":"25392fde-45b5-27b7-37fa-f32fbb137771","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=1
{"request_id":"57e6aedc-9406-07a4-e7bc-8fd396f8f823","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version1"},"metadata":{"created_time":"2020-03-01T21:23:50.76118051Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=3
{"request_id":"2994b83c-d742-807a-aa3e-0d5d88ba6f60","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version2"},"metadata":{"created_time":"2020-03-01T21:24:17.868740798Z","deletion_time":"","destroyed":false,"version":3}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=4
{"request_id":"8ef9e5d9-d724-e650-03a8-8477a17f15c4","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=0
{"request_id":"36673da2-1b0d-510e-1333-36a088637dda","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=1
{"request_id":"5b014412-22be-b8f6-23eb-f245b8e6ab2e","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version1"},"metadata":{"created_time":"2020-03-01T21:28:11.184234432Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/secret5?version=2
{"request_id":"8fe0e3f7-3918-57a4-5a72-1e5293a7d418","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version1"},"metadata":{"created_time":"2020-03-01T21:29:33.398767611Z","deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=3
{"request_id":"6ba62ce5-e788-4c9d-85f2-2f13341979f9","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version2"},"metadata":{"created_time":"2020-03-01T21:29:51.385471519Z","deletion_time":"","destroyed":false,"version":3}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=4
{"request_id":"7e675c49-4a00-c268-ca91-631061a8e763","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}

Vault backends

vault secrets list -detailed
Path                                         Plugin       Accessor              Default TTL    Max TTL     Force No Cache    Replication    Seal Wrap    Options                                             Description                                                UUID
----                                         ------       --------              -----------    -------     --------------    -----------    ---------    -------                                             -----------                                                ---
secret/                                      kv           kv_foo                system         system      false             replicated     false        map[version:1]                                      key/value secret storage                                   n/a
secret_v2/                                   kv           kv_bar                system         system      false             replicated     false        map[version:2]                                      KV version 2 secret path                                   n/a
sys/                                         system       system_baz            n/a            n/a         false             replicated     false        map[]                                               system endpoints used for control, policy and debugging    n/a

Command

consul-template -config /tmp/consul-config.json -template=/app/index.html.ctmpl:/app/index.html -exec=python3 test-server.py

Debug output

3/1/2020 4:29:06 PMLaunching application with the following: consul-template -config /tmp/consul-config.json -template=/etc/some_other_file.yml.ctmpl:/etc/some_other_file.yml -template=/app/index.html.ctmpl:/app/index.html -exec='python3 test-server.py' .
3/1/2020 4:29:06 PM2020/03/01 22:29:06.248993 [INFO] consul-template v0.24.1 (c54d0abc)
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249011 [INFO] (runner) creating new runner (dry: false, once: false)
Unknown Date
Invalid Date Invalid Date2020/03/01 22:29:06.249349 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":5,"TLSHandshakeTimeout":10000000000}},"Dedup":{"Enabled":false,"MaxStale":2000000000,"Prefix":"consul-template/dedup/","TTL":15000000000},"Exec":{"Command":"python3 test-server.py","Enabled":true,"Env":{"Blacklist":[],"Custom":["PATH=$PATH:$PWD"],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":0},"KillSignal":2,"LogLevel":"debug","MaxStale":2000000000,"PidFile":"","ReloadSignal":1,"Syslog":{"Enabled":false,"Facility":"LOCAL0"},"Templates":[{"Backup":false,"Command":"","CommandTimeout":30000000000,"Contents":"","CreateDestDirs":true,"Destination":"/etc/some_other_file.yml","ErrMissingKey":false,"Exec":{"Command":"","Enabled":false,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":30000000000},"Perms":0,"Source":"/etc/some_other_file.yml.ctmpl","Wait":{"Enabled":false,"Min":0,"Max":0},"LeftDelim":"","RightDelim":"","FunctionBlacklist":null,"SandboxPath":""},{"Backup":false,"Command":"","CommandTimeout":30000000000,"Contents":"","CreateDestDirs":true,"Destination":"/app/index.html","ErrMissingKey":false,"Exec":{"Command":"","Enabled":false,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":30000000000},"Perms":0,"Source":"/app/index.html.ctmpl","Wait":{"Enabled":false,"Min":0,"Max":0},"LeftDelim":"","RightDelim":"","FunctionBlacklist":null,"SandboxPath":""}],"Vault":{"Address":"https://vault","Enabled":true,"Namespace":"","RenewToken":true,"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":5,"TLSHandshakeTimeout":10000000000},"UnwrapToken":false},"Wait":{"Enabled":false,"Min":0,"Max":0},"Once":false}
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249423 [INFO] (runner) creating watcher
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249452 [DEBUG] (watcher) adding vault.token
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249792 [INFO] (runner) starting
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249810 [DEBUG] (runner) running initial templates
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249814 [DEBUG] (runner) initiating run
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249860 [DEBUG] (runner) checking template 889e59c7dc5fd172e484df2a9aa82a53
3/1/2020 4:29:06 PM2020/03/01 22:29:06.414839 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.548189 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.665238 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.666316 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.758110 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064059 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064138 [DEBUG] (runner) missing data for 2 dependencies
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064166 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret4)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064175 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret5)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064182 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret4) to missing since isLeader but do not have a watcher
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064190 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret5) to missing since isLeader but do not have a watcher
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064202 [DEBUG] (runner) was not watching 2 dependencies
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064215 [DEBUG] (watcher) adding vault.read(secret_v2/secret4)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064228 [DEBUG] (watcher) adding vault.read(secret_v2/secret5)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064238 [DEBUG] (runner) checking template 2d4fc72b29bb3818646579cfc49f5a8a
3/1/2020 4:29:08 PM2020/03/01 22:29:08.200219 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.319001 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.435853 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751652 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751666 [DEBUG] (runner) missing data for 6 dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751690 [DEBUG] (runner) missing dependency: vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751698 [DEBUG] (runner) missing dependency: vault.read(secret_v2/)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751702 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret2)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751705 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret3)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751708 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret4)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751712 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret5)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751721 [DEBUG] (runner) add used dependency vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751728 [DEBUG] (runner) add used dependency vault.read(secret_v2/) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751735 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret2) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751740 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret3) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751760 [DEBUG] (runner) was not watching 4 dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751770 [DEBUG] (watcher) adding vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751787 [DEBUG] (watcher) adding vault.read(secret_v2/)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751797 [DEBUG] (watcher) adding vault.read(secret_v2/secret2)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751804 [DEBUG] (watcher) adding vault.read(secret_v2/secret3)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751813 [DEBUG] (runner) diffing and updating dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751817 [DEBUG] (runner) watching 7 dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751827 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret4)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751852 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret5)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751860 [DEBUG] (runner) initiating run
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751864 [DEBUG] (runner) checking template 889e59c7dc5fd172e484df2a9aa82a53
3/1/2020 4:29:09 PM2020/03/01 22:29:09.877737 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:09 PM2020/03/01 22:29:09.991958 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:10 PM2020/03/01 22:29:10.105435 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:10 PM2020/03/01 22:29:10.106520 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:10 PM2020/03/01 22:29:10.196693 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.511953 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.511982 [DEBUG] (runner) rendering "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.514806 [INFO] (runner) rendered "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.514821 [DEBUG] (runner) checking template 2d4fc72b29bb3818646579cfc49f5a8a
3/1/2020 4:29:11 PM2020/03/01 22:29:11.632061 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.751210 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.918304 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207635 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207654 [DEBUG] (runner) missing data for 4 dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207672 [DEBUG] (runner) missing dependency: vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207677 [DEBUG] (runner) missing dependency: vault.read(secret_v2/)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207681 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret2)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207685 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret3)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207702 [DEBUG] (runner) missing data for 4 dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207707 [DEBUG] (runner) diffing and updating dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207712 [DEBUG] (runner) vault.read(secret_v2/secret5) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207716 [DEBUG] (runner) vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207720 [DEBUG] (runner) vault.read(secret_v2/) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207724 [DEBUG] (runner) vault.read(secret_v2/secret2) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207728 [DEBUG] (runner) vault.read(secret_v2/secret3) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207731 [DEBUG] (runner) vault.read(secret_v2/secret4) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207735 [DEBUG] (runner) watching 7 dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207743 [DEBUG] (runner) receiving dependency vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207751 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret2)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207757 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret3)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207763 [DEBUG] (runner) receiving dependency vault.read(secret_v2/)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207767 [DEBUG] (runner) initiating run
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207771 [DEBUG] (runner) checking template 889e59c7dc5fd172e484df2a9aa82a53
3/1/2020 4:29:13 PM2020/03/01 22:29:13.325499 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.448906 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.563325 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.564368 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.671948 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.205056 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.205085 [DEBUG] (runner) rendering "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.207015 [INFO] (runner) rendered "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.207027 [DEBUG] (runner) checking template 2d4fc72b29bb3818646579cfc49f5a8a
3/1/2020 4:29:16 PM2020/03/01 22:29:16.328847 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.441012 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.552654 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.110185 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.110245 [DEBUG] (runner) rendering "/app/index.html.ctmpl" => "/app/index.html"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112184 [INFO] (runner) rendered "/app/index.html.ctmpl" => "/app/index.html"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112206 [DEBUG] (runner) diffing and updating dependencies
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112215 [DEBUG] (runner) vault.read(secret_v2/secret5) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112220 [DEBUG] (runner) vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112224 [DEBUG] (runner) vault.read(secret_v2/) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112227 [DEBUG] (runner) vault.read(secret_v2/secret2) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112232 [DEBUG] (runner) vault.read(secret_v2/secret3) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112236 [DEBUG] (runner) vault.read(secret_v2/secret4) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112241 [DEBUG] (runner) watching 7 dependencies
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112245 [DEBUG] (runner) all templates rendered
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112290 [INFO] (child) spawning: python3 test-server.py

Expected behavior

I expect to be able to target a specific version of a secret at any point in my template for the same secret path in the same template and return that value.

Actual behavior

Instead it seems the template gets pinned on a specific version of a secret. I have tried this in multiple templates using different versions, and it always version 0 that seems to get returned…

Steps to reproduce

create some versioned secrets in vault using the KV version 2 secret path backend
attempt to render a template using versioned secret references
profit

Topic		Replies	Views
Vault agent templates - how to get secret previous version Vault consul-template	9	1996	November 10, 2021
Consul Template v0.25.1 Consul consul-template	1	828	July 27, 2020
Nomad Vault Integration Nomad vault	4	535	May 27, 2022
Vault Agent Templating and rendering all secrets under path X Vault vault	0	485	February 18, 2021
Invalid path for a versioned K/V secrets engine Vault	2	20101	April 28, 2020