vault_client: add support to 'vault kv get' for the vault_client (#642)

This commit adds support to 'vault kv get' for the 'vault_client' extension to
make the consumption of secrets from Vault K/V version 2 convenient.

There is a difference in the JSON structure of K/V version 1 (a.k.a 'generic')
and K/V version 2 responses returned when reading secrets.

Version 1
```
{
  "auth": null,
  "data": {
    "foo": "bar",
    "ttl": "1h"
  },
  "lease_duration": 3600,
  "lease_id": "",
  "renewable": false
}
```

Version 2
```
{
  "data": {
    "data": {
      "foo": "bar"
    },
    "metadata": {
      "created_time": "2018-03-22T02:24:06.945319214Z",
      "custom_metadata": {
        "owner": "jdoe",
        "mission_critical": "false"
      },
      "deletion_time": "",
      "destroyed": false,
      "version": 2
    }
  }
}
```

Note the nested 'data.data' in version 2's response.

This difference makes the usability of 'vault read' impractical for version 2
secrets when compared to 'vault kv get'.

As 'vault kv get' knows how to unwrap the nested 'data' blocks, we can access
the values of secrets directly.

```
vault kv get -mount=<MY-MOUNT> -field=<MY-FIELD> <MY-PATH>
<MY-SECRET-VALUE>
```

However, when reading the same secret with 'vault read', we get the following
structure.

```
❯ vault read <MY-MOUNT>/data/<MY-PATH>
Key         Value
---         -----
data        map[<MY-FIELD>:<MY-SECRET-VALUE>]
metadata    map[created_time:2025-08-06T13:23:08.155132764Z custom_metadata:<nil> deletion_time: destroyed:false version:2]

❯ vault read -field=data <MY-MOUNT>/data/<MY-PATH>
map[<MY-FIELD>:<MY-SECRET-VALUE>]
```

To be able to the the actual value of '<MY-SECRET-VALUE>' we need to parse the
output from 'vault read' and that's far from being convenient.

References:

* https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#sample-response-1
* https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#sample-response

Signed-off-by: Diogo Kiss <[email protected]>

Author: diogokiss

README.md

@@ -59,7 +59,7 @@ All extensions have been vetted and approved by the Tilt team.
 - [`tests`](/tests): Some common configurations for running your tests in Tilt.
 - [`tilt_inspector`](/tilt_inspector): Debugging server for exploring internal Tilt state.
 - [`uibutton`](/uibutton): Customize your Tilt dashboard with [buttons to run a command](https://blog.tilt.dev/2021/06/21/uibutton.html).
-- [`vault_client`](/vault_client): Reach secrets from a Vault instance.
+- [`vault_client`](/vault_client): Retrieve secrets from a Vault instance.
 - [`wait_for_it`](/wait_for_it): Wait until command output is equal to given output.
 - [`base64`](/base64): Base64 encode or decode a string.
 - [`yarn`](/yarn): Create Tilt resources from package.json scripts in a yarn workspace.

vault_client/README.md

@@ -2,32 +2,46 @@
 
 Author: [Ismael Fernandez](https://github.com/ismferd)
 
-The purpose of this extension is to easily fetch secrets from a [Vault](https://www.vaultproject.io/) instance
+Contributors:
 
-You will be able to reach vault and get your secrets using a token
+- [Diogo Kiss](https://github.com/diogokiss)
+
+The purpose of this extension is to easily fetch secrets from a [Vault](https://www.vaultproject.io/) instance.
+
+It allows you to reach Vault and read your secrets using a Vault token.
 
 ## Requirements
 
-- `Vault cli`
+- [Vault CLI](https://developer.hashicorp.com/vault/install)
 
 ## Functions
 
 ### `vault_set_env_vars(vault_addr: str, vault_token: str)`
 
-Set up the `VAULT_ADDR`and the `VAULT_TOKEN` as envvars.
+Set up the `VAULT_ADDR` and `VAULT_TOKEN` environment variables.
 
 ### `vault_read_secret(path: str, field: str) return str`
 
-Return the value of your secret.
+> [!IMPORTANT]
+> This function is not recommended for use with Vault's KV secrets engine version 2.
+
+Return the value of the secret field specified by the given `path` and `field`.
+This function is a wrapper around the `vault read` command.
+
+### `vault_kv_get(path, field, mount=None) return str`
 
-Under the hood, it is doing te command `vault read -field=$fiel $path"`
+> [!IMPORTANT]
+> Prefer this function if you are using Vault's KV secrets engine.
+> In particular, if you are using K/V version 2.
+
+Return the value of the secret field specified by the given `field`, `path`, and `mount`.
+This function is a wrapper around the `vault kv get` command.
 
 ## Example Usage
 
-```
-load('ext://vault_client', 'vault_read_secret', 'vault_set_env_vars')
+```python
+load('ext://vault_client', 'vault_read_secret', 'vault_set_env_vars', 'vault_kv_get')
 vault_set_env_vars('https://localhost:8200','mytoken')
-my_foo = vault_read_secret('path/myfoo', 'value')
-my_bar = vault_read_secret('path/mybar', 'foobar')
+my_foo = vault_read_secret('path/myfoo', 'secret')
+my_bar = vault_kv_get('path/mybar', 'secret', mount='mymount')
 ```
-

vault_client/Tiltfile

@@ -1,6 +1,10 @@
 def vault_read_secret(path, field):
     return local("vault read -field={} {}".format(field, path), quiet=True)
 
+def vault_kv_get(path, field, mount=None):
+    mount_param = "-mount={}".format(mount) if mount else ""
+    return local("vault kv get {} -field={} {}".format(mount_param, field, path), quiet=True)
+
 def vault_set_env_vars(vault_addr, vault_token):
     os.putenv('VAULT_ADDR', vault_addr)
     os.putenv('VAULT_TOKEN', vault_token)