Vault: K/V v2: add suport for lease_duration using ttl key

duplicate of #6184

@briankassouf, I don't think this is a duplicate of #6184. At present, if one runs _vault kv patch ttl=60s_, you wind up with a value vault.Secret.Data["data"]["ttl"] = "60s", which is placing the TTL value in the secret payload, not in its metadata.

My goal is to populate vault.Secret.Data["ttl"] for KV v2 secrets, so that (*vault.Secret).TokenTTL picks up the value here.

@asaintsever, do you concur?

@seh yes totally, for KV v2, a "ttl" secret value should end up in Data["ttl"] (as it is the case with KV v1), not in Data["data"]["ttl"] where it is not considered currently (as you pointed out: https://github.com/hashicorp/vault/blob/master/api/secret.go#L263-L272).

lease_duration is used in consul-template (https://github.com/hashicorp/consul-template/blob/master/dependency/vault_common.go#L126-L167) to wait next update.
But consul-tempalte's behavior is not compatible for K/V v1 and K/V v2 now, consul-template wait default ttl (5 minutes).

When enable secret and put data as following:

vault secrets enable -version=1 kv-v1
vault secrets enable -version=2 kv-v2
vault kv put kv-v1/with-ttl a=111 ttl=60s
vault kv put kv-v2/with-ttl a=111 ttl=60s

When I get from kv-v1, lease_duration is same value with ttl field.

vault kv get -format=json kv-v1/with-ttl
{
  "request_id": "b30f388d-b12b-f37d-b491-05d7ea04c0a2",
  "lease_id": "",
  "lease_duration": 60,
  "renewable": false,
  "data": {
    "a": "111",
    "ttl": "60s"
  },
  "warnings": null
}

But I get from kv-v2, inspite of ttl field exists, lease_duration is 0.

vault kv get -format=json kv-v2/with-ttl
{
  "request_id": "2a51dd87-0995-c493-59ea-38432e6ed4b3",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "data": {
      "a": "111",
      "ttl": "60s"
    },
    "metadata": {
      "created_time": "2020-03-17T02:52:12.804263Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  },
  "warnings": null
}

lease_duration field is updated from input's Secret field in LogicalResponseToHTTPResponse, but input doesn't has Secret when K/V v2.

https://github.com/hashicorp/vault/blob/master/sdk/logical/translate_response.go#L14-L46

K/V v1 inputs's Secret field inserted in following code:
https://github.com/hashicorp/vault-plugin-secrets-kv/blob/master/passthrough.go#L166-L184

K/V v2 inputs's Secret field does'nt inserted.
https://github.com/hashicorp/vault-plugin-secrets-kv/blob/master/path_data.go#L84-L170

If K/V v1 and K/V v2 should be have lease_duration from ttl field, I ready to send a patch.

Should this issue be reopened?

@seh felt that this was not a duplicate of https://github.com/hashicorp/vault/issues/6184, and I tend to agree, because that issue is about destroying the secret after the TTL, whereas this request is about providing equivalent support as v1 for the lease duration.

@takaishi provided some ideas about how to address this, and was willing to put a PR together.

Without support for this feature, I am reluctant to adopt kv-v2 because it doesn't give me the ability to auto-renew my secrets automatically (for example, when I want to use the vault agent injector sidecar).

This has become a major issue for us as well. Is the lease_duration concept being deprecated? If not what is the advised way of setting lease_duration on KV v2 engine secrets? We are considering moving our engines back to KV v1 if we are unable to set the lease_duration in v2.