Support KV v2 backend in Vault provider

[michael2m]

The current provider for secrets from HashiCorp Vault does not work for secrets stored in the KV version 2 backend. It leads to errors retrieving secrets. This is due to differences in the JSON structure of the response (wrapping in an additional "data" object). Note that KV v2 has the path to the secret include an additional "data" segment as well, e.g. "secret/data/path/to/it" for a secret "path/to/it". However this is compatible with current implementation of the secret provider in secretless-broker (ensuring the ID covers the proper path).

Proposal to support KV v2 backend: extend the current Vault provider in secretless-broker to parse an optional version indicator in the ID of the secret being retrieved. Currently it accepts: "path/to/secret" (with implied field "value") and "path/to/secret#somefield" with explicit field "somefield". This could be extended to support an optional version and delimiter prepended to the ID, e.g. "v2:path/to/secret" or "v2:path/to/secret#somefield". When omitted it should imply "v1", to not break current current behavior and expect the KV v1 backend.

[izgeri]

@michael2m thanks for filing this request!

I'm not sure what our timeline for making this change would be, but if you're interested in contributing you can find more info in our Secretless Contributing Guide and in our general Conjur Contributing Guide. You can also contact us on Discourse - we have a channel specifically devoted to Secretless development, and we'd be happy to help you get up and running.

[izgeri]

Per @michael2m's email request, I've marked this as implementing for him 🎉

[sgnn7]

Fixed via #1345 and queued for next release (>= 1.7.1). Thanks @michael2m - much appreciated!