lib/hiera/backend/vault_backend.rb in confidante-0.28.0.pre.15 vs lib/hiera/backend/vault_backend.rb in confidante-0.28.0.pre.16

@@ -17,25 +17,34 @@
 
         vault_config = Backend.parse_answer(Config[:vault], scope)
         vault_address = vault_config[:address]
         vault_client = Vault::Client.new(address: vault_address)
 
-        source = vault_config[:sources][0]
+        value = get_value(vault_client, key, vault_config[:sources])
 
-        throw(:unsupported_secrets_engine) unless source[:engine] == 'kv'
+        Backend.parse_answer(value, scope)
+      end
 
-        value = read_kv_value(vault_client, source, key)
+      def get_value(vault_client, key, sources)
+        found_source = sources.find do |source|
+          read_kv_value(vault_client, source, key)
+        end
 
-        Backend.parse_answer(value, scope)
+        throw(:no_such_key) unless found_source
+
+        read_kv_value(vault_client, found_source, key)
       end
 
       def read_kv_value(vault_client, source, key)
-        secret = vault_client.kv(source[:mount]).read(key)
-        throw(:no_such_key) unless secret
+        throw(:unsupported_secrets_engine) unless source[:engine] == 'kv'
 
-        value = secret.data[:value]
-        throw(:no_such_key) unless value
-        value
+        mount = source[:mount]
+        full_path = "#{source[:path]}/#{key}"
+
+        secret = vault_client.kv(mount).read(full_path)
+        return nil unless secret
+
+        secret.data[:value]
       end
     end
 
     # rubocop:enable Naming/ClassAndModuleCamelCase
   end