diff --git a/docs/howto/templated_secrets.rst b/docs/howto/templated_secrets.rst index ace53ec..5cb026b 100644 --- a/docs/howto/templated_secrets.rst +++ b/docs/howto/templated_secrets.rst @@ -1,6 +1,10 @@ Make a secret point to dynamic content ====================================== +.. warning:: + + This feature will be removed from Vault-CLI in the next major version. + With ``vault-cli``, it's possible to have secret values be Jinja2_ templates. This is useful if you have multiple related secrets that you would like to retrieve as a single string. diff --git a/tests/unit/test_client_base.py b/tests/unit/test_client_base.py index 481cc16..cce3f36 100644 --- a/tests/unit/test_client_base.py +++ b/tests/unit/test_client_base.py @@ -522,6 +522,13 @@ def test_vault_client_base_get_secret(vault, vault_contents, expected): assert vault.get_secret("a") == expected +def test_vault_client_base_get_secret_deprecation_warning(vault): + vault.db = {"a": {"value": "!template!b"}} + + with pytest.warns(DeprecationWarning): + assert vault.get_secret("a") == {"value": "b"} + + def test_vault_client_base_get_secret_template_root(vault): vault.base_path = "base" vault.db = {"/base/a": {"value": '!template!{{ vault("a").value }} yay'}} diff --git a/vault_cli/client.py b/vault_cli/client.py index 17bd9c1..ffbfad1 100644 --- a/vault_cli/client.py +++ b/vault_cli/client.py @@ -2,6 +2,7 @@ import json import logging import pathlib +import warnings from typing import Dict, Iterable, List, Optional, Set, Tuple, Type, Union, cast import hvac # type: ignore @@ -520,6 +521,14 @@ def copy_secrets( template_prefix = "!template!" def _render_template_value(self, secret: types.JSONValue) -> types.JSONValue: + + warnings.warn( + DeprecationWarning( + "Templated values are deprecated and will be removed in the " + "following major versions." + ) + ) + if isinstance(secret, dict): return {k: self._render_template_value(v) for k, v in secret.items()} if not isinstance(secret, str):