hairyhenderson/gomplate

Handling generic path type with versioning in Vault

Opened this issue · 2 comments

We are encountering an issue with gomplate v4.1.0. When trying to render a Vault path with the path type set to generic, especially when options map[version:2] is specified. It seems that gomplate does not handle this configuration, leading to rendering failures.

Steps to Reproduce:

Configure a Vault secrets engine with the type generic and set options map[version:2].
Attempt to use gomplate to render a secret from this path without including the /data component.

gomplate --datasource vault=vault://vault-server:8200/ -f secret.yaml

Observe that gomplate fails to render the secret, as below error message:

gomplate --datasource vault=vault://vault-server:8200/ -f secret.yaml 
secrets: "15:57:20 ERR  err="renderTemplate: failed to render template secret.yaml: template: secret.yaml:1:14:
 executing \"secret.yaml\" at <datasource \"vault\" \"ui/secrets/rest/of/the/path\">: error calling datasource: 
 couldn't read datasource 'vault' (vault://vault-server:8200/ui/secrets/rest/of/the/path): 
 stat (url: \"vault://vault-server:8200/\", name: \"ui/secrets/rest/of/the/path\"): 
 stat ui/secrets/rest/of/the/path: http GET /v1/ui/secrets/rest/of/the/path failed with: GET https://vault-server:8200/v1/ui/secrets/rest/of/the/path - 403, details: 1 error occurred:\n\t* permission denied\n\n: file does not exist"

Note that running vault kv get against the same path works as expected:

vault kv get ui/secrets/rest/of/the/path                           
================== Secret Path ==================
ui/secrets/data/rest/of/the/path

======= Metadata =======
Key                Value
---                -----

It would be great if gomplate can handle such situation where the secret engine type is not specifically set to kv. Or is there any way that we can avoid this issue?

Environment:
Gomplate version: 4.1.0
Vault version: v1.17.1

We have the same issue. It is impossible to change mount type from 'generic (version=2)' to 'kv (version=2)' on vault kv engine (and there is no good tools to export/import large number of kv secrets with versions, even we want to migrate).
It is a common issue for early vault setups. Hope gomplate vault datasource could accommodate this old vault configuration.

Hi @hairyhenderson,

I hope you’re doing well! I wanted to check in on the status of the issue with gomplate v4.1.0 and the handling of the generic secrets engine in Vault. This issue is blocking our ability to update gomplate, and we are looking forward to be able to proceed with the update.

If there’s any chance this could be reviewed soon or if there are any updates available, I’d greatly appreciate it. Thank you for your time and for all the hard work you do on this project!