Accessing the json root of a vault kv2 secret

[liamhelmer]

I'm having trouble managing to use the root of a vault secret. I.E. I want to access the entire vault secret as json, rather than accessing only a single key within a json secret. Either this is a bug in the plugin that this is unattainable, or else it's a documentation bug, because I can't find an example anywhere in the documentation on how to do this.

Looking up jsonPath I managed to determine that {@} would access the whole path, so that part is working fine. What I can't seem to do is get the entire json secret: I can only retrieve one key at a time.

So far, I've tried all the following formats to no avail: <path:secrets/k8s/soa/kv/data/dev/test-pipeline#. | jsonPath {@}> <path:secrets/k8s/soa/kv/data/dev/test-pipeline#@ | jsonPath {@}> <path:secrets/k8s/soa/kv/data/dev/test-pipeline# | jsonPath {@}> <path:secrets/k8s/soa/kv/data/dev/test-pipeline | jsonPath {@}>

All of these result in various errors, mostly: "Replace: could not replace all placeholders in Template: replaceString: missing Vault value for placeholder"

For reference the following works just fine, so I know secrets are being pulled correctly from vault: <path:secrets/k8s/soa/kv/data/dev/test-pipeline#testdata | jsonPath {@}>

In either case, I'd like to have the documentation updated to represent the current state. It would also be beneficial, I think, to break down in the documentation how to address a secret in hierarchichal paths within a kv2 keystore, which is used by many larger orgs, for e.g. breaking the path down into it's components for less confusion. path:<path/to/secret/store></data if we're using kv2></path/to/secret>[#key within secret][#secret version]

I can't find in the existing documentation any examples of doing the specific thing that I'm talking about here, all documentation that I've read pulls a subkey of the json secret instead of the entire json secret.

What I'd like is a) to get the correct format of the secret that we need or b) know that this is not possible as currently implemented.... at which point I'll make a feature request or post a PR.

If this isn't currently implemented, I'd like to suggest that the format should be: <path:secrets/k8s/soa/kv/data/dev/test-pipeline | jsonPath {@}> As that keeps it consistent with the paths used by avp.kubernetes.io/path.

Thanks!

[werne2j]

@liamhelmer getting all the key values from a vault secret is not supported at this time. I think in order to do what you want, we would have to add some logic to run a list call on the path instead of a get and then form the list data into the map that needs to be returned. Feel free to put up a PR and we can take a look.