Conversation
logic
left a comment
logic
left a comment
There was a problem hiding this comment.
Just some quick comments; looks like this may not have been tested with default values? (I use them quite a lot here.)
| return nil if secret.nil? | ||
|
|
||
| Hiera.debug("[hiera-vault] Read secret: #{key}") | ||
| if @config[:default_field] and (@config[:default_field_behavior] == 'ignore' or (secret.data.has_key?(@config[:default_field].to_sym) and secret.data.length == 1)) |
There was a problem hiding this comment.
Default fields also need to handle the kv2 case (there should be a secret.data[:data].has_key?(@config[:default_field] case in here somewhere).
| if @config[:default_field_parse] == 'json' | ||
| begin | ||
| data = JSON.parse(data) | ||
| data = JSON.parse(data[:data]) |
There was a problem hiding this comment.
I don't think this change is correct? You may want to test this.
| end | ||
|
|
||
| return nil if secret.nil? | ||
|
|
There was a problem hiding this comment.
Instead of sprinkling if @config[:kv_version] == 2 throughout the following, couldn't you just create a variable here to represents secret.data in the kv1 case, and secret.data[:data] in the kv2 case, and work off of that from here on out? (This is already a pretty ugly collection of conditionals, seems a shame to make it worse.) ie:
sd = @config[:kv_version] == 2 ? secret.data[:data] : secret.data
and then reference sd instead of secret.data everywhere, without changing any of the existing logic?
2 participants
Enable Vault key/value engine V2 support