From 89f09e48ed17416bc732d2c1770070287fafcb02 Mon Sep 17 00:00:00 2001
From: Alexander <a.sinchinov@gmail.com>
Date: Mon, 8 Apr 2019 15:16:16 +0700
Subject: [PATCH 1/5] add vault kv2 support

---
 lib/hiera/backend/vault_backend.rb | 37 +++++++++++++++++++++++++-----
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/lib/hiera/backend/vault_backend.rb b/lib/hiera/backend/vault_backend.rb
index 8cba891..9572d8d 100644
--- a/lib/hiera/backend/vault_backend.rb
+++ b/lib/hiera/backend/vault_backend.rb
@@ -43,6 +43,23 @@ def initialize()
           @vault = nil
           Hiera.warn("[hiera-vault] Skipping backend. Configuration error: #{e}")
         end
+
+        # Check vault kv version
+        if (@config[:kv_version]).nil?
+          @data_hash = ""
+          @api_path = ""
+          Hiera.debug("[hiera-vault] kv engine version not set using default: 1")
+        elsif @config[:kv_version] == 1
+          @data_hash = ""
+          @api_path = ""
+          Hiera.debug("[hiera-vault] Using kv engine version: #{@config[:kv_version]}")
+        elsif @config[:kv_version] == 2
+          @data_hash = ":data"
+          @api_path = "data/"
+          Hiera.debug("[hiera-vault] Using kv engine version: #{@config[:kv_version]}")
+        else
+          Hiera.warn("[hiera-vault] Not supported kv engine version: #{@config[:kv_version]}")
+        end
       end
 
       def lookup(key, scope, order_override, resolution_type)
@@ -58,7 +75,7 @@ def lookup(key, scope, order_override, resolution_type)
           path = Backend.parse_string(mount, scope, { 'key' => key })
           Backend.datasources(scope, order_override) do |source|
             Hiera.debug("Looking in path #{path}/#{source}/")
-            new_answer = lookup_generic("#{path}/#{source}/#{key}", scope)
+            new_answer = lookup_generic("#{path}/#{@api_path}#{source}/#{key}", scope)
             #Hiera.debug("[hiera-vault] Answer: #{new_answer}:#{new_answer.class}")
             next if new_answer.nil?
             case resolution_type
@@ -92,24 +109,32 @@ def lookup_generic(key, scope)
           end
 
           return nil if secret.nil?
-
+          
           Hiera.debug("[hiera-vault] Read secret: #{key}")
           if @config[:default_field] and (@config[:default_field_behavior] == 'ignore' or (secret.data.has_key?(@config[:default_field].to_sym) and secret.data.length == 1))
             return nil if not secret.data.has_key?(@config[:default_field].to_sym)
             # Return just our default_field
-            data = secret.data[@config[:default_field].to_sym]
+            if @config[:kv_version] == 2
+              data = secret.data[:data][@config[:default_field].to_sym]
+            else
+              data = secret.data[@config[:default_field].to_sym]
+            end
             if @config[:default_field_parse] == 'json'
               begin
-                data = JSON.parse(data)
+                data = JSON.parse(data[:data])
               rescue JSON::ParserError => e
                 Hiera.debug("[hiera-vault] Could not parse string as json: #{e}")
               end
             end
           else
             # Turn secret's hash keys into strings
-            data = secret.data.inject({}) { |h, (k, v)| h[k.to_s] = v; h }
+            if @config[:kv_version] == 2
+              data = secret.data[:data].inject({}) { |h, (k, v)| h[k.to_s] = v; h }
+            else
+              data = secret.data.inject({}) { |h, (k, v)| h[k.to_s] = v; h }
+            end
           end
-          #Hiera.debug("[hiera-vault] Data: #{data}:#{data.class}")
+          #Hiera.debug("[hiera-vault] Data: #{data}")
 
           return Backend.parse_answer(data, scope)
       end

From 838866d8495397de0113680bf28886e9647eb19d Mon Sep 17 00:00:00 2001
From: Alexander <a.sinchinov@gmail.com>
Date: Mon, 8 Apr 2019 15:52:28 +0700
Subject: [PATCH 2/5] Update vault_backend.rb

---
 lib/hiera/backend/vault_backend.rb | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lib/hiera/backend/vault_backend.rb b/lib/hiera/backend/vault_backend.rb
index 9572d8d..59b4e36 100644
--- a/lib/hiera/backend/vault_backend.rb
+++ b/lib/hiera/backend/vault_backend.rb
@@ -46,15 +46,12 @@ def initialize()
 
         # Check vault kv version
         if (@config[:kv_version]).nil?
-          @data_hash = ""
           @api_path = ""
           Hiera.debug("[hiera-vault] kv engine version not set using default: 1")
         elsif @config[:kv_version] == 1
-          @data_hash = ""
           @api_path = ""
           Hiera.debug("[hiera-vault] Using kv engine version: #{@config[:kv_version]}")
         elsif @config[:kv_version] == 2
-          @data_hash = ":data"
           @api_path = "data/"
           Hiera.debug("[hiera-vault] Using kv engine version: #{@config[:kv_version]}")
         else
@@ -109,7 +106,6 @@ def lookup_generic(key, scope)
           end
 
           return nil if secret.nil?
-          
           Hiera.debug("[hiera-vault] Read secret: #{key}")
           if @config[:default_field] and (@config[:default_field_behavior] == 'ignore' or (secret.data.has_key?(@config[:default_field].to_sym) and secret.data.length == 1))
             return nil if not secret.data.has_key?(@config[:default_field].to_sym)

From 7236d8c2cfa50c221daad5f11a1581a3f3618840 Mon Sep 17 00:00:00 2001
From: Alexander <a.sinchinov@gmail.com>
Date: Mon, 8 Apr 2019 16:01:05 +0700
Subject: [PATCH 3/5] Update README.md

---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 82476e1..c4eacdb 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,19 @@ The hiera lookup for `foo` will return a Hash:
 
     {"value"=>"bar","other"=>"baz"}
 
+### Vault KV engine version - optional
+
+Since version 0.10.0 Vault supports kv secrets versioning so-called KV version 2. By default version 1 support is enabled. To configure module to work with version 2 secrets specify the :kv_version setting e.g.
+
+    :vault:
+        :kv_version: 2
+
+Make sure to enable versioning for all secrets in Vault:
+
+    vault kv enable-versioning secret/foo
+
+**NOTE:** It is not possible to lookup through v1 and v2 secrets simultaneously. Use the only type.
+
 ### Single Value - optional
 
 If you use just a single field to store data, eg. "value" - you can request that just this is returned as a string, instead of a hash.

From d1ad668aa6f4174fca1f9442d1e6a927a5970aed Mon Sep 17 00:00:00 2001
From: Alexander <a.sinchinov@gmail.com>
Date: Mon, 8 Apr 2019 16:25:50 +0700
Subject: [PATCH 4/5] Update hiera-vault.gemspec

---
 hiera-vault.gemspec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hiera-vault.gemspec b/hiera-vault.gemspec
index cb94306..cab4e71 100644
--- a/hiera-vault.gemspec
+++ b/hiera-vault.gemspec
@@ -3,7 +3,7 @@ require 'rubygems/package_task'
 
 spec = Gem::Specification.new do |gem|
     gem.name = "hiera-vault"
-    gem.version = "0.2.2"
+    gem.version = "0.2.3"
     gem.license = "Apache-2.0"
     gem.summary = "Module for using vault as a hiera backend"
     gem.email = "jonathan.sokolowski@gmail.com"

From 3e8f21849f49ccfdf06a4e7fd3e910cc2b6d54f1 Mon Sep 17 00:00:00 2001
From: Alexander <a.sinchinov@gmail.com>
Date: Mon, 8 Apr 2019 16:39:39 +0700
Subject: [PATCH 5/5] Update vault_backend.rb

---
 lib/hiera/backend/vault_backend.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/hiera/backend/vault_backend.rb b/lib/hiera/backend/vault_backend.rb
index 59b4e36..2058e19 100644
--- a/lib/hiera/backend/vault_backend.rb
+++ b/lib/hiera/backend/vault_backend.rb
@@ -130,7 +130,7 @@ def lookup_generic(key, scope)
               data = secret.data.inject({}) { |h, (k, v)| h[k.to_s] = v; h }
             end
           end
-          #Hiera.debug("[hiera-vault] Data: #{data}")
+          #Hiera.debug("[hiera-vault] Data: #{data}:#{data.class}")
 
           return Backend.parse_answer(data, scope)
       end