When deleting the latest version of a kv2 secret, VSO should retrieve the previous (non-deleted) version

[ChristianCiach]

Describe the bug

I use a VaultStaticSecret to retrieve the latest version of a secret stored in Vault by omitting the version attrbute:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: grafana-credentials
spec:
  type: kv-v2
  mount: secrets-external-services
  path: oncall/grafana-credentials
  destination:
    name: grafana-credentials
    create: true
  rolloutRestartTargets:
    - kind: Deployment
      name: grafana

If I create a new version of this secret in Vault, VSO correctly updates to the new version and restarts the grafana deployment. Great!

But when I delete the new version of the secret in Vault, VSO does not revert to the previous version. Instead, it wipes the existing data from the Kubernetes Secret and restarts the Grafana deployment, making it fail because of the now missing data.

The updated Secret after deleting the version in Vault contains only this data:

_raw: '{"data":null,"metadata":{"created_time":"2024-05-17T19:01:44.897386006Z","custom_metadata":null,"deletion_time":"2024-05-17T19:02:34.210821304Z","destroyed":false,"version":2}}'

Expected behavior

I would expect VSO to revert to the latest non-deleted version of the vault secret.

Environment

• Kubernetes version:
  • Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): K3s v1.29.3+k3s1
• vault-secrets-operator version: v0.6.0

Additional context

It is debatable if this is even a bug. This seems to be the default behavior of the Vault API when omitting the version parameter. See https://discuss.hashicorp.com/t/kv-v2-destroyed-secret-version-still-marked-as-current/9780

But I still think VSO should handle this better.

[nevo11]

Hi what happened with that?