If a KV secret is marked for future deletion the secret is not return when it is still valid.

[darkedges]

Please note that the Consul Template issue tracker is reserved
for bug reports and enhancements. For general usage questions,
please use the Consul Community Portal or the Consul mailing list:

https://discuss.hashicorp.com/c/consul
https://groups.google.com/forum/#!forum/cons

Consul Template version

HashiCorp Vault 1.15.2 uses 0.33

Configuration

Please review hashicorp/vault-k8s#123

Expected behavior

If a secret is marked for future deletion and it is within the timeframe it should be generated.

Actual behavior

The following https://github.com/hashicorp/consul-template/blob/v0.33.0/dependency/vault_read.go#L181 just checks to see if the value is present instead of verifying it should have been deleted.

Steps to reproduce

Please review hashicorp/vault-k8s#123

References

Please review hashicorp/vault-k8s#123

[thevilledev]

This was fixed in #1879 and released in consul-template version 0.37.0 (see changelog here).

The fix was then incorporated into:

• Vault v1.15 Manual backport (1.15.x): VAULT-528 Fix Vault Agent being unable to render secrets with delete_version_after set. vault#25388
• Vault v1.16 Backport of VAULT-528 Fix Vault Agent being unable to render secrets with delete_version_after set. into release/1.16.x vault#25412
• Vault v1.17 VAULT-528 Fix Vault Agent being unable to render secrets with delete_version_after set. vault#25387

You were running Vault v1.15.2 so updating to v1.15.6 (or newer) should fix it for you.