Shorthand syntax for secret read

[mahmoudhossam]

Currently, the documentation states that:

The attribute is optional; if omitted, the request will be a vault read (HTTP GET) request. If provided, the request will be a vault write (HTTP PUT/POST) request.

With this syntax being recommended for reading secrets:

{{ with secret "secret/passwords" }}
{{ .Data.wifi }}{{ end }}

Can we maybe have a shorthand for this syntax so it becomes a one-liner instead?

Something along the lines of:

WIFI_PASSWORD={{ readSecret "secret/passwords" .Data.wifi }}

Being equivalent to the syntax in the first example.

The use case for this would be to print individual secrets without having to write a whole with block just to get a single secret.

[eikenb]

Hey @mahmoudhossam, thanks for the idea.

Thinking about this I was wondering if it would be possible to make this more general purpose with a read function that could work with the pipeline.

Eg. I'm thinking something like...

WIFI_PASSWORD={{ secret "secret/passwords" | readField ".Data.wifi" }}

Read would probably do something like take the input dot object and the string, create a sub-template with just the string and then evaluate it using the passed in dot object.

This could feasibly work on any template function that returns a more complex data type that you only want to access a single field from.

Thoughts?

[mahmoudhossam]

@eikenb Thank you for your input

I only ever worked with secrets in consul templates so that's why I was thinking of a solution for it.

Your proposal seems to be more of a general solution which I definitely appreciate, although I think having a directive that does both operations in one go would make for better looking templates than piping.

This is of course a design thing, so I'd leave it for people more seasoned with the project than I am.