[Hashicorp Vault provider] Support check-and-set options for PushSecret

[snaax]

Hello,
I'm sorry if a similar bug already have been posted or if it's just a misusage but I didn't find anything

Describe the bug
I'm using hashicorp-vault v2 provider and when I try to use the PushSecret feature, I'm being told
Code: 400. Errors: * check-and-set parameter required for this call
It seems normal since when I try to do it manually, I have the -cas to put but I didn't see anything about this in the documentation nor options.

To Reproduce
Steps to reproduce the behavior:

1. Using kubernetes 1.31 and eso chart 0.17.0
2. Create a SecretStore

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "xxx"
      path: "secret"
      version: "v2"
      auth:
        ldap:
          path: "ldap"
          username: "xxx"
          secretRef:
            name: "vault"
            key: "ldap-password"

3. Create a kubernetes secret (from the example

apiVersion: v1
kind: Secret
metadata:
  name: source-secret
stringData:
  source-key1: "{\"foo\":\"bar\"}" # Needs to be a JSON
  source-key2: bar  # Could be a plain string

5. Create a PushSecret

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-example
spec:
  refreshInterval: 1h
  secretStoreRefs:
    - name: vault-backend
      kind: SecretStore
  selector:
    secret:
      name: source-secret
  data:
    - match:
        secretKey: source-key1
        remoteRef:
          remoteKey: xxx/test/secret1
    - match:
        secretKey: source-key2
        remoteRef:
          remoteKey: xxx/test/secret2
          property: foo

Capabilities on the vault side seems aligned to what is asked :

path "/secret/metadata/xxx*" { capabilities = ["read", "list", "create", "update", "delete"] } 
path "/secret/data/xxx*" { capabilities = ["create", "update", "read"] }

Expected behavior
The secret is pushed to the vault without asking for cas

Screenshots
ESO Logs

{"level":"debug","ts":1749715576.0520585,"logger":"events","msg":"set secret failed: could not write remote ref source-key1 to target secretstore vault-backend: Error making API request.\n\nURL: PUT https://xxx/v1/secret/data/xxx/test/secret1\nCode: 400. Errors:\n\n* check-and-set parameter required for this call","type":"Warning","object":{"kind":"PushSecret","namespace":"external-secrets","name":"pushsecret-example","uid":"4c352c1a-a595-4b2d-aab1-dcf427a3cd0e","apiVersion":"external-secrets.io/v1alpha1","resourceVersion":"115085003"},"reason":"Errored"}
{"level":"debug","ts":1749715576.0889807,"logger":"events","msg":"store validated","type":"Normal","object":{"kind":"SecretStore","namespace":"external-secrets","name":"vault-backend","uid":"2a020cb8-87b5-4668-955f-744f791f0124","apiVersion":"external-secrets.io/v1","resourceVersion":"115086943"},"reason":"Valid"}
{"level":"error","ts":1749715576.1177425,"msg":"Reconciler error","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"pushsecret-example","namespace":"external-secrets"},"namespace":"external-secrets","name":"pushsecret-example","reconcileID":"84e6d709-7f9d-4b52-a762-8b001843e89f","error":"could not write remote ref source-key1 to target secretstore vault-backend: Error making API request.\n\nURL: PUT https://xxx/v1/secret/data/xxx/test/secret1\nCode: 400. Errors:\n\n* check-and-set parameter required for this call","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}

[gusfcarvalho]

Hi @snaax . This is, as your error messages show, not a bug but a permissions issue.

Edit:
After googling for a while, we do not support check-and-set 🙂. This is a new feature request (not support nor bug)

I encourage you to implement and open a PR for it 😃

[snaax]

Oh ok I saw your first comment and was "I wasn't clear" 😄. But ok I understand you're not supporting it. I'm surprised nobody had this problem before me since it's common on vault v2 but I guess most of users are using aws provider.

I'll try to open a PR about this after learning some go 😅

Thanks for your answer

[gusfcarvalho]

Oh ok I saw your first comment and was "I wasn't clear" 😄. But ok I understand you're not supporting it. I'm surprised nobody had this problem before me since it's common on vault v2 but I guess most of users are using aws provider.

I guess it's more due to the PushSecret usage vs user base on hashi vault (we have quite a lot, they might simply not be using PushSecrets at all 😄).

[gusfcarvalho]

Just finished triaging this - it is a good first issue for anyone wanting to do their first contrib (~40 lines of change + tests).

[Ilhan-Personal]

I could try to take a stab at it if that's okay 😅

[Skarlso]

@Ilhan-Personal Go for it :)