diff --git a/vault/vault.go b/vault/vault.go index 66d7135a..8805af24 100644 --- a/vault/vault.go +++ b/vault/vault.go @@ -50,6 +50,7 @@ type SecretProperties struct { PasswordField string SecretName string UserName string + KVVersion int } type Vault struct { @@ -115,7 +116,9 @@ func (v *Vault) login(ctx context.Context) (*vault.Secret, error) { return authInfo, nil } -// GetKVSecret fetches the latest version of secret api key from kv-v1 or kv-v2 +// GetKVSecret retrieves a secret from Vault using KV v1 or KV v2. +// MountPath is the actual Vault mount (e.g., "testing-path"), +// while KVVersion controls which API (v1/v2) is used. func (v *Vault) GetKVSecret(ctx context.Context, props *SecretProperties, secret string) (*vault.KVSecret, error) { var kvSecret *vault.KVSecret var err error @@ -134,12 +137,11 @@ func (v *Vault) GetKVSecret(ctx context.Context, props *SecretProperties, secret secretPath = secret } } - - // perform more checks based on profile - if props.MountPath != "kv2" { - kvSecret, err = v.client.KVv1(props.MountPath).Get(ctx, secretPath) - } else { + switch props.KVVersion { + case 2: kvSecret, err = v.client.KVv2(props.MountPath).Get(ctx, secretPath) + default: + kvSecret, err = v.client.KVv1(props.MountPath).Get(ctx, secretPath) } if err != nil { diff --git a/vault/vault_test.go b/vault/vault_test.go index 3993e505..4a066973 100644 --- a/vault/vault_test.go +++ b/vault/vault_test.go @@ -61,6 +61,16 @@ func createVaultTestCluster(t *testing.T) (*docker.DockerCluster, string, string t.Fatal(err) } + // create KV V2 mount with a custom mount name + if err := client.Sys().Mount("custom-kv2", &vaultapi.MountInput{ + Type: "kv", + Options: map[string]string{ + "version": "2", + }, + }); err != nil { + t.Fatal(err) + } + // enable approle if err := client.Sys().EnableAuthWithOptions("approle", &vaultapi.EnableAuthOptions{ Type: "approle", @@ -124,6 +134,15 @@ func createVaultTestCluster(t *testing.T) (*docker.DockerCluster, string, string t.Fatal(err) } + // Create KV2 secret under custom mount + if _, err := client.Logical().Write("custom-kv2/data/ipmi/testkv2secret", map[string]interface{}{ + "data": map[string]interface{}{ + "value": "testkv2value", + }, + }); err != nil { + t.Fatal(err) + } + // Create KV1 secret if _, err := client.Logical().Write("secret/testkv1secret", map[string]interface{}{ "data": map[string]interface{}{ @@ -274,6 +293,7 @@ func Test_Vault_Auth(t *testing.T) { loginFunc: login, secretProps: &SecretProperties{ MountPath: "kv2", + KVVersion: 2, SecretName: "missing", }, getSecretFunc: getSecret, @@ -289,6 +309,7 @@ func Test_Vault_Auth(t *testing.T) { secretProps: &SecretProperties{ MountPath: "kv2", Path: "morepath", + KVVersion: 2, SecretName: "testkv2secret", }, getSecretFunc: getSecret, @@ -303,6 +324,7 @@ func Test_Vault_Auth(t *testing.T) { loginFunc: login, secretProps: &SecretProperties{ MountPath: "kv2", + KVVersion: 2, Path: "morepath", }, getSecretFunc: getSecret, @@ -317,6 +339,7 @@ func Test_Vault_Auth(t *testing.T) { loginFunc: login, secretProps: &SecretProperties{ MountPath: "kv2", + KVVersion: 2, SecretName: "testkv2secret", }, getSecretFunc: getSecret, @@ -331,6 +354,7 @@ func Test_Vault_Auth(t *testing.T) { loginFunc: login, secretProps: &SecretProperties{ MountPath: "kv2", + KVVersion: 2, }, getSecretFunc: getSecret, cleanUpFunc: cleanUp, @@ -350,6 +374,22 @@ func Test_Vault_Auth(t *testing.T) { cleanUpFunc: cleanUp, expectErr: false, }, + { + name: "Get KVv2 Secret Custom Mount", + ctx: ctx, + vaultParams: goodParams, + appRoleClientFunc: createAppRoleClient, + loginFunc: login, + secretProps: &SecretProperties{ + MountPath: "custom-kv2", + Path: "ipmi", + KVVersion: 2, + SecretName: "testkv2secret", + }, + getSecretFunc: getSecret, + cleanUpFunc: cleanUp, + expectErr: false, + }, { name: "Token Renewal", ctx: ctx, @@ -357,6 +397,7 @@ func Test_Vault_Auth(t *testing.T) { appRoleClientFunc: createAppRoleClient, secretProps: &SecretProperties{ MountPath: "kv2", + KVVersion: 2, }, validateFunc: func(t *testing.T, tc testcase) error { var wg = sync.WaitGroup{} @@ -388,6 +429,7 @@ func Test_Vault_Auth(t *testing.T) { appRoleClientFunc: createAppRoleClient, secretProps: &SecretProperties{ MountPath: "kv2", + KVVersion: 2, }, validateFunc: func(t *testing.T, tc testcase) error { var wg = sync.WaitGroup{}