Handling generic path type with versioning in Vault

[nedal87]

We are encountering an issue with gomplate v4.1.0. When trying to render a Vault path with the path type set to generic, especially when options map[version:2] is specified. It seems that gomplate does not handle this configuration, leading to rendering failures.

Steps to Reproduce:

Configure a Vault secrets engine with the type generic and set options map[version:2].
Attempt to use gomplate to render a secret from this path without including the /data component.

gomplate --datasource vault=vault://vault-server:8200/ -f secret.yaml

Observe that gomplate fails to render the secret, as below error message:

gomplate --datasource vault=vault://vault-server:8200/ -f secret.yaml 
secrets: "15:57:20 ERR  err="renderTemplate: failed to render template secret.yaml: template: secret.yaml:1:14:
 executing \"secret.yaml\" at <datasource \"vault\" \"ui/secrets/rest/of/the/path\">: error calling datasource: 
 couldn't read datasource 'vault' (vault://vault-server:8200/ui/secrets/rest/of/the/path): 
 stat (url: \"vault://vault-server:8200/\", name: \"ui/secrets/rest/of/the/path\"): 
 stat ui/secrets/rest/of/the/path: http GET /v1/ui/secrets/rest/of/the/path failed with: GET https://vault-server:8200/v1/ui/secrets/rest/of/the/path - 403, details: 1 error occurred:\n\t* permission denied\n\n: file does not exist"

Note that running vault kv get against the same path works as expected:

vault kv get ui/secrets/rest/of/the/path                           
================== Secret Path ==================
ui/secrets/data/rest/of/the/path

======= Metadata =======
Key                Value
---                -----

It would be great if gomplate can handle such situation where the secret engine type is not specifically set to kv. Or is there any way that we can avoid this issue?

Environment:
Gomplate version: 4.1.0
Vault version: v1.17.1

[xuwang]

We have the same issue. It is impossible to change mount type from 'generic (version=2)' to 'kv (version=2)' on vault kv engine (and there is no good tools to export/import large number of kv secrets with versions, even we want to migrate).
It is a common issue for early vault setups. Hope gomplate vault datasource could accommodate this old vault configuration.

[nedal87]

Hi @hairyhenderson,

I hope you’re doing well! I wanted to check in on the status of the issue with gomplate v4.1.0 and the handling of the generic secrets engine in Vault. This issue is blocking our ability to update gomplate, and we are looking forward to be able to proceed with the update.

If there’s any chance this could be reviewed soon or if there are any updates available, I’d greatly appreciate it. Thank you for your time and for all the hard work you do on this project!

[github-actions]

This issue is stale because it has been open for 60 days with no
activity. If it is no longer relevant or necessary, please close it.
Given no action, it will be closed in 14 days.

If it's still relevant, one of the following will remove the stale
marking:

• A maintainer can add this issue to a milestone to indicate that
  it's been accepted and will be worked on
• A maintainer can remove the stale label
• Anyone can post an update or other comment

[tewfik-ghariani]

Not stale

[hairyhenderson]

Looks like this issue fell through the cracks - sorry folks.

the path type set to generic, especially when options map[version:2] is specified

As of Vault 0.8.3, generic is the same as kv, but that was before KV v2 and versioning support.

So I think if you have a mount of type generic and version 2, that's exactly the same as KV v2. But I could be wrong. It's certainly deprecated.

One other thing - the ui/ prefix on your path - is that intentional? do you have a mount on ui/? Usually that path is what's used by the Vault UI. I'd expect the command to be vault kv get secrets/... instead.