@arossert you can issue these commands to revert versions for your secrets.
echo "setting up vault"
vault secrets disable secret
vault secrets enable -version=1 -path=secret -description=$SECRET_DESCRIPTION kv

Probably can just add them as RUN commands in docker file.

@fewknow Thanks for the fast replay.
I have already tried that like this:

FROM vault

ENV VAULT_ADDR="http://127.0.0.1:8200"

RUN vault secrets disable secret &&\
    vault secrets enable -path=secret kv

But when I try to build it with:
docker build -f Dockerfile.vault-dev .

I get this error:
Error disabling secrets engine at secret/: Delete http://127.0.0.1:8200/v1/sys/mounts/secret: dial tcp 127.0.0.1:8200: connect: connection refused

It seems like the vault is not running yet.

@arossert it might not be the best way but i solved using these two files:

Dockerfile.vault-dev

FROM vault

RUN apk add --no-cache openssl
ENV DOCKERIZE_VERSION v0.6.1
RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
    && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
    && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz

ENV VAULT_TOKEN=vaultDevToken
ENV VAULT_DEV_ROOT_TOKEN_ID=vaultDevToken
ENV VAULT_ADDR="http://127.0.0.1:8200"

COPY set_v1_secrets.sh /home/vault/

CMD ["/home/vault/set_v1_secrets.sh"]

set_v1_secrets.sh

#!/bin/sh

docker-entrypoint.sh server -dev &
dockerize -wait tcp://127.0.0.1:8200 -timeout 30s
vault secrets disable secret
vault secrets enable -version=1 -path=secret -description='local secrets' kv

hope this helps

@arossert I have been struggling the same issue for a couple of days, but finally I managed to find a way to switch the versions on DEV mode. I have a little bit of a hacky solution, but it works perfectly for me. I am using the Docker health check to execute the commands that will switch the version of the kv from 2 to 1. Check the docker-compose snippet below:

version '3'

services:
...
  vault:
    image: vault
    cap_add:
        - IPC_LOCK
    environment:
        VAULT_ADDR: "http://192.168.99.100:8200"
        VAULT_DEV_ROOT_TOKEN_ID: "vault-demo-token"
    ports:
        - "8200:8200"
    healthcheck:
      test: "vault login vault-demo-token &&
             vault kv get secret &&
             vault secrets disable secret &&
             vault secrets enable -version=1 -path=secret kv"
      interval: 5s
...

The whole magic is in the healthcheck section. On every 5 seconds:

1. Login on vault, using the VAULT_DEV_ROOT_TOKEN_ID.
2. Check if the version of KV is 2. I try to execute a non-listing operation vault kv get secret on the root of the secret mount, which is not supported by KV v2 (this command should fail with: Non-listing operations on the root of a K/V v2 mount are not supported.)!
3. Unmount the secret kv.
4. Mount the secret kv, but this time with version 1.

Thanks to 2), the switch (steps 3 and 4) will happen only on the first health check. After that, on every 5 second, only a login and check will be done (steps 1 and 2).

Important note: The parameter VAULT_ADDR is needed if the vault server is not running on your local machine. In my case it is running on the Docker machine (192.169.99.100) and I should specify that, otherwise the commands in the health check will fail.

Hope it helps!

Seems much easier for someone to simply patch Vault to include a dev flag that disables the upgrade.

@mrusanov I have tried your method with the docker compose but it does not work for me, the vault secret is still V2 after "docker-compose up".
It does not seem that the healthcheck is running

@arossert since my last comment I have researched if there is a better way to switch the version of KV. I have even reviewed the source code of Vault, and it seems that there is no way to set up the default KV version in DEV mode, without recompiling of the Vault itself. So, the only possible way is to switch the version of KV using Vault commands (after the Vault is up and running). One option is to use the workaround from my previous comment, using docker-compose. Another solution, which is better, is to build a custom Docker image of Vault, using the Dockerfile and the script below:

secure-store-vault.sh

#!/bin/sh

if [ "$VAULT_KV_VERSION" = "v1" ]; then
  {
    # A background process to set the kv version to v1.
    while ! vault login $VAULT_DEV_ROOT_TOKEN_ID;
    do
      # Retry login to Vault every second until Vault server is up.
      sleep 1;
    done;
    # After the login, set the kv version v1
    vault secrets disable secret;
    vault secrets enable -version=1 -path=secret kv;
  } &
fi

# Start the Vault server in DEV mode
docker-entrypoint.sh server -dev

Dockerfile

FROM vault

ARG VAULT_ADDR_ARG="http://192.168.99.100:8200"
ARG VAULT_DEV_ROOT_TOKEN_ID_ARG="vault-dev-root-token"
ARG VAULT_KV_VERSION_ARG="v1"

COPY secure-store-vault.sh /usr/local/bin/secure-store-vault.sh

RUN chmod 777 /usr/local/bin/secure-store-vault.sh \
    && ln -s /usr/local/bin/secure-store-vault.sh /

ENV VAULT_ADDR=$VAULT_ADDR_ARG
ENV VAULT_DEV_ROOT_TOKEN_ID=$VAULT_DEV_ROOT_TOKEN_ID_ARG
ENV VAULT_KV_VERSION=$VAULT_KV_VERSION_ARG

CMD ["/usr/local/bin/secure-store-vault.sh"]

As you can see, the version switch happens in the secure-store-vault.sh script, if the custom parameter VAULT_KV_VERSION is set to v1. In that case, a background process is started, which retries to connect to Vault every second. Once Vault is up and running the KV is disabled, and after that enabled again, but this time with version 1.
This solution is better, because it allows to choose the version of KV, and it is not necessary to use docker-compose's health check.

All of the ENV variables have their default values set in the Dockerfile. Again, it is important to specify the right VAULT_ADDR, for you Docker machine, where Vault is running.

Hope it helps! :)

@mrusanov thanks, that looks good, will try to use one of those methods.
As @jefferai said, it will be nice if Vault will enable this feature.

The dev flag -dev-kv-v1 was added in vault 1.0.1. See hashicorp/vault#5919.

An example of the above for an ad-hoc container run (for the non-docker fluent):

docker run -p 8200:8200 --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' vault:1.0.3 server -dev-kv-v1