Do not destroy secret versions by default
In discussion with @si202, @rk725, @av603, @sdw37, @rh841, @du228 we noted that sanctuary secrets cannot currently be directly consumed by applications:
- If we mount a specific version of a secret into the application so that we have control over when the change "takes" then things break when sanctuary destroys the mounted version as the secret is updated.
- If we mount the "latest" version of a secret into the application we lose control over when the change "takes" - we have to hope that the application either loads the file where the secret is mounted each time it or we have some way or restarting the application after the fact.
This causes confusion as noted in #28 (closed).
As a first step towards allowing sanctuary to be used to manage secrets mounted directly in applications make destroying secret versions optional and default to off. Add a new sub-command which destroys all non-latest versions. Then the paved path for secrets directly mounted in apps is:
- Deploy application with secret version specified exactly.
- Update secret via sanctury.
- Re-deploy application to use new secret version.
- (Optionally) use sanctury to destroy older secret versions.