vault: return more descriptive error for K/V v2 backend

This commit modifies the Hashicorp Vault backend such that
it returns a more descriptive error when trying to create
a key on the unsupported v2 backend.

The K/V v1 and v2 backends have different APIs for accessing
keys. For example, you access a secret using the `<engine>/<path>`
API on v1. The v2 backend uses the `<engine>/data/<path>` API.

However, the Vault SDK does not return an error when trying to
access a v2 backend with a v1 client. Instead, it returns a secret
object that contains no data but an API warning.

Therefore, we check whether the returned secret contains any data,
and if not, don't return `kes.ErrKeyExists` but send a more descriptive
error event.

internal/vault/vault.go

@@ -260,13 +260,20 @@ func (s *Store) Create(key, value string) error {
 	//    the secret contains no data (and no "warnings" or "errors")
 	//
 	// Therefore, we check whether the client returns a nil error
-	// and a non-nil "secret". In this case, the secret key already
-	// exists.
+	// and a non-nil "secret". In this case, the secret key either
+	// already exists or the K/V backend does not understand the
+	// request (K/V v1 vs. K/V v2) and returns a "secret" without
+	// a key entry but an API warning.
+	//
 	// But when the client returns an error it does not mean that
 	// the entry does not exist but that some other error (e.g.
 	// network error) occurred.
 	switch secret, err := s.client.Logical().Read(location); {
 	case err == nil && secret != nil:
+		if _, ok := secret.Data[key]; !ok {
+			s.logf("vault: entry exist but failed to read '%s': invalid K/V format", location)
+			return errCreateKey
+		}
 		return kes.ErrKeyExists
 	case err != nil:
 		s.logf("vault: failed to create '%s': %v", location, err)