Feature/vault refactoring (#3113)

* refactor vault code

* adjust generator

* wip: fix tests

* regenerate influxdb

* fix test

* add another test

* fix test & docs

* fix formatting

* Minorupdate and fixes

Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>

cmd/abapEnvironmentCreateSystem_generated.go

@@ -169,9 +169,9 @@ func abapEnvironmentCreateSystemMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -190,9 +190,9 @@ func abapEnvironmentCreateSystemMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/artifactPrepareVersion_generated.go

@@ -368,9 +368,9 @@ func artifactPrepareVersionMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "gitHttpsCredentialVaultSecretName",
-								Paths: []string{"$(vaultPath)/gitHttpsCredential", "$(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential", "$(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "gitHttpsCredential",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -425,9 +425,9 @@ func artifactPrepareVersionMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "gitHttpsCredentialVaultSecretName",
-								Paths: []string{"$(vaultPath)/gitHttpsCredential", "$(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential", "$(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "gitHttpsCredential",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/checkmarxExecuteScan_generated.go

@@ -380,9 +380,9 @@ func checkmarxExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "checkmarxVaultSecretName",
-								Paths: []string{"$(vaultPath)/checkmarx", "$(vaultBasePath)/$(vaultPipelineName)/checkmarx", "$(vaultBasePath)/GROUP-SECRETS/checkmarx"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "checkmarx",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -464,9 +464,9 @@ func checkmarxExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "checkmarxVaultSecretName",
-								Paths: []string{"$(vaultPath)/checkmarx", "$(vaultBasePath)/$(vaultPipelineName)/checkmarx", "$(vaultBasePath)/GROUP-SECRETS/checkmarx"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "checkmarx",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/cloudFoundryCreateServiceKey_generated.go

@@ -153,9 +153,9 @@ func cloudFoundryCreateServiceKeyMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -174,9 +174,9 @@ func cloudFoundryCreateServiceKeyMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/cloudFoundryCreateService_generated.go

@@ -172,9 +172,9 @@ func cloudFoundryCreateServiceMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -193,9 +193,9 @@ func cloudFoundryCreateServiceMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/cloudFoundryDeleteService_generated.go

@@ -150,9 +150,9 @@ func cloudFoundryDeleteServiceMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -171,9 +171,9 @@ func cloudFoundryDeleteServiceMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/cloudFoundryDeploy_generated.go

@@ -478,9 +478,9 @@ func cloudFoundryDeployMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -526,9 +526,9 @@ func cloudFoundryDeployMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "cloudfoundryVaultSecretName",
-								Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "cloudfoundry-$(org)-$(space)",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/cnbBuild_generated.go

@@ -229,9 +229,8 @@ func cnbBuildMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name: "",
-								Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"},
+								Type: "vaultSecretFile",
-								Type:  "vaultSecretFile",
 							},
 						},
 						Scope:     []string{"PARAMETERS"},

cmd/detectExecuteScan_generated.go

@@ -229,9 +229,9 @@ func detectExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "detectVaultSecretName",
-								Paths: []string{"$(vaultPath)/detect", "$(vaultBasePath)/$(vaultPipelineName)/detect", "$(vaultBasePath)/GROUP-SECRETS/detect"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "detect",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/fortifyExecuteScan_generated.go

@@ -329,9 +329,9 @@ func fortifyExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "fortifyVaultSecretName",
-								Paths: []string{"$(vaultPath)/fortify", "$(vaultBasePath)/$(vaultPipelineName)/fortify", "$(vaultBasePath)/GROUP-SECRETS/fortify"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "fortify",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -367,9 +367,9 @@ func fortifyExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/githubCheckBranchProtection_generated.go

@@ -215,9 +215,9 @@ func githubCheckBranchProtectionMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/githubCommentIssue_generated.go

@@ -195,9 +195,9 @@ func githubCommentIssueMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/githubCreateIssue_generated.go

@@ -204,9 +204,9 @@ func githubCreateIssueMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/githubCreatePullRequest_generated.go

@@ -243,9 +243,9 @@ func githubCreatePullRequestMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/githubPublishRelease_generated.go

@@ -283,9 +283,9 @@ func githubPublishReleaseMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/githubSetCommitStatus_generated.go

@@ -240,9 +240,9 @@ func githubSetCommitStatusMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/influxWriteData_generated.go

@@ -143,9 +143,9 @@ func influxWriteDataMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "influxVaultSecretName",
-								Paths: []string{"$(vaultPath)/influxdb", "$(vaultBasePath)/$(vaultPipelineName)/influxdb", "$(vaultBasePath)/GROUP-SECRETS/influxdb"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "influxdb",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/kanikoExecute_generated.go

@@ -260,9 +260,9 @@ func kanikoExecuteMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "dockerConfigFileVaultSecretName",
-								Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"},
+								Type:    "vaultSecretFile",
-								Type:  "vaultSecretFile",
+								Default: "docker-config",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/kubernetesDeploy_generated.go

@@ -370,9 +370,9 @@ func kubernetesDeployMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "kubeConfigFileSecretName",
-								Paths: []string{"$(vaultPath)/kube-config", "$(vaultBasePath)/$(vaultPipelineName)/kube-config", "$(vaultBasePath)/GROUP-SECRETS/kube-config"},
+								Type:    "vaultSecretFile",
-								Type:  "vaultSecretFile",
+								Default: "kube-config",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},
@@ -436,9 +436,8 @@ func kubernetesDeployMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name: "dockerConfigFileVaultSecretName",
-								Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"},
+								Type: "vaultSecretFile",
-								Type:  "vaultSecretFile",
 							},
 						},
 						Scope:     []string{"PARAMETERS"},

cmd/mavenBuild_generated.go

@@ -244,9 +244,9 @@ func mavenBuildMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "altDeploymentRepositoryPasswordFileVaultSecretName",
-								Paths: []string{"$(vaultPath)/alt-deployment-repository-passowrd", "$(vaultBasePath)/$(vaultPipelineName)/alt-deployment-repository-passowrd", "$(vaultBasePath)/GROUP-SECRETS/alt-deployment-repository-passowrd"},
+								Type:    "vaultSecretFile",
-								Type:  "vaultSecretFile",
+								Default: "alt-deployment-repository-passowrd",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

cmd/protecodeExecuteScan_generated.go

@@ -268,9 +268,9 @@ func protecodeExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "dockerConfigFileVaultSecretName",
-								Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"},
+								Type:    "vaultSecretFile",
-								Type:  "vaultSecretFile",
+								Default: "docker-config",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -379,9 +379,9 @@ func protecodeExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "protecodeVaultSecretName",
-								Paths: []string{"$(vaultPath)/protecode", "$(vaultBasePath)/$(vaultPipelineName)/protecode", "$(vaultBasePath)/GROUP-SECRETS/protecode"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "protecode",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -400,9 +400,9 @@ func protecodeExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "protecodeVaultSecretName",
-								Paths: []string{"$(vaultPath)/protecode", "$(vaultBasePath)/$(vaultPipelineName)/protecode", "$(vaultBasePath)/GROUP-SECRETS/protecode"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "protecode",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/sonarExecuteScan_generated.go

@@ -241,9 +241,9 @@ func sonarExecuteScanMetadata() config.StepData {
 						Name: "token",
 						ResourceRef: []config.ResourceReference{
 							{
-								Name:  "",
+								Name:    "sonarSecretName",
-								Paths: []string{"$(vaultPath)/sonar", "$(vaultBasePath)/$(vaultPipelineName)/sonar", "$(vaultBasePath)/GROUP-SECRETS/sonar"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "sonar",
 							},
 
 							{
@@ -452,9 +452,9 @@ func sonarExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "githubVaultSecretName",
-								Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "github",
 							},
 						},
 						Scope:     []string{"PARAMETERS"},

cmd/terraformExecute_generated.go

@@ -125,9 +125,9 @@ func terraformExecuteMetadata() config.StepData {
 						Name: "terraformSecrets",
 						ResourceRef: []config.ResourceReference{
 							{
-								Name:  "",
+								Name:    "terraformExecuteFileVaultSecret",
-								Paths: []string{"$(vaultPath)/terraformExecute", "$(vaultBasePath)/$(vaultPipelineName)/terraformExecute", "$(vaultBasePath)/GROUP-SECRETS/terraformExecute"},
+								Type:    "vaultSecretFile",
-								Type:  "vaultSecretFile",
+								Default: "terraformExecute",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/vaultRotateSecretId_generated.go

@@ -151,9 +151,9 @@ func vaultRotateSecretIdMetadata() config.StepData {
 						Name: "jenkinsUrl",
 						ResourceRef: []config.ResourceReference{
 							{
-								Name:  "",
+								Name:    "jenkinsVaultSecret",
-								Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "jenkins",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -175,9 +175,9 @@ func vaultRotateSecretIdMetadata() config.StepData {
 						Name: "jenkinsUsername",
 						ResourceRef: []config.ResourceReference{
 							{
-								Name:  "",
+								Name:    "jenkinsVaultSecret",
-								Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "jenkins",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -190,9 +190,9 @@ func vaultRotateSecretIdMetadata() config.StepData {
 						Name: "jenkinsToken",
 						ResourceRef: []config.ResourceReference{
 							{
-								Name:  "",
+								Name:    "jenkinsVaultSecret",
-								Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "jenkins",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},
@@ -250,9 +250,8 @@ func vaultRotateSecretIdMetadata() config.StepData {
 						Name: "adoPersonalAccessToken",
 						ResourceRef: []config.ResourceReference{
 							{
-								Name:  "",
+								Name: "",
-								Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"},
+								Type: "vaultSecret",
-								Type:  "vaultSecret",
 							},
 						},
 						Scope:     []string{"PARAMETERS", "STAGES", "STEPS"},

cmd/whitesourceExecuteScan_generated.go

@@ -614,9 +614,9 @@ func whitesourceExecuteScanMetadata() config.StepData {
 							},
 
 							{
-								Name:  "",
+								Name:    "whitesourceVaultSecret",
-								Paths: []string{"$(vaultPath)/whitesource", "$(vaultBasePath)/$(vaultPipelineName)/whitesource", "$(vaultBasePath)/GROUP-SECRETS/whitesource"},
+								Type:    "vaultSecret",
-								Type:  "vaultSecret",
+								Default: "whitesource",
 							},
 						},
 						Scope:     []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},

pkg/config/config.go

@@ -191,7 +191,7 @@ func (c *Config) GetStepConfig(flagValues map[string]interface{}, paramJSON stri
 		stepConfig.mixIn(def.General, filters.General)
 		stepConfig.mixIn(def.Steps[stepName], filters.Steps)
 		stepConfig.mixIn(def.Stages[stageName], filters.Steps)
-		stepConfig.mixinVaultConfig(def.General, def.Steps[stepName], def.Stages[stageName])
+		stepConfig.mixinVaultConfig(parameters, def.General, def.Steps[stepName], def.Stages[stageName])
 		stepConfig.mixInHookConfig(def.Hooks)
 	}
 
@@ -233,7 +233,7 @@ func (c *Config) GetStepConfig(flagValues map[string]interface{}, paramJSON stri
 		log.Entry().Warnf("invalid value for parameter verbose: '%v'", stepConfig.Config["verbose"])
 	}
 
-	stepConfig.mixinVaultConfig(c.General, c.Steps[stepName], c.Stages[stageName])
+	stepConfig.mixinVaultConfig(parameters, c.General, c.Steps[stepName], c.Stages[stageName])
 	// check whether vault should be skipped
 	if skip, ok := stepConfig.Config["skipVault"].(bool); !ok || !skip {
 		// fetch secrets from vault

pkg/config/stepmeta.go

@@ -61,11 +61,11 @@ type StepParameters struct {
 
 // ResourceReference defines the parameters of a resource reference
 type ResourceReference struct {
-	Name    string   `json:"name"`
+	Name    string  `json:"name"`
-	Type    string   `json:"type,omitempty"`
+	Type    string  `json:"type,omitempty"`
-	Param   string   `json:"param,omitempty"`
+	Param   string  `json:"param,omitempty"`
-	Paths   []string `json:"paths,omitempty"`
+	Default string  `json:"default,omitempty"`
-	Aliases []Alias  `json:"aliases,omitempty"`
+	Aliases []Alias `json:"aliases,omitempty"`
 }
 
 // Alias defines a step input parameter alias
@@ -411,6 +411,23 @@ func (m *StepParameters) GetReference(refType string) *ResourceReference {
 	return nil
 }
 
+func getFilterForResourceReferences(params []StepParameters) []string {
+	var filter []string
+	for _, param := range params {
+		reference := param.GetReference("vaultSecret")
+		if reference == nil {
+			reference = param.GetReference("vaultSecretFile")
+		}
+		if reference == nil {
+			return filter
+		}
+		if reference.Name != "" {
+			filter = append(filter, reference.Name)
+		}
+	}
+	return filter
+}
+
 // HasReference checks whether StepData contains a parameter that has Reference with the given type
 func (m *StepData) HasReference(refType string) bool {
 	for _, param := range m.Spec.Inputs.Parameters {

pkg/config/vault.go

@@ -3,6 +3,7 @@ package config
 import (
 	"io/ioutil"
 	"os"
+	"path"
 	"regexp"
 	"strings"
 
@@ -13,27 +14,45 @@ import (
 )
 
 const (
-	vaultTestCredentialPath              = "vaultTestCredentialPath"
+	vaultRootPaths                      = "vaultRootPaths"
-	vaultTestCredentialKeys              = "vaultTestCredentialKeys"
+	vaultTestCredentialPath             = "vaultTestCredentialPath"
-	vaultTestCredentialEnvPrefix_Default = "PIPER_TESTCREDENTIAL_"
+	vaultTestCredentialKeys             = "vaultTestCredentialKeys"
+	vaultAppRoleID                      = "vaultAppRoleID"
+	vaultAppRoleSecretID                = "vaultAppRoleSecreId"
+	vaultServerUrl                      = "vaultServerUrl"
+	vaultNamespace                      = "vaultNamespace"
+	vaultBasePath                       = "vaultBasePath"
+	vaultPipelineName                   = "vaultPipelineName"
+	vaultPath                           = "vaultPath"
+	skipVault                           = "skipVault"
+	vaultDisableOverwrite               = "vaultDisableOverwrite"
+	vaultTestCredentialEnvPrefixDefault = "PIPER_TESTCREDENTIAL_"
 )
 
 var (
 	vaultFilter = []string{
-		"vaultAppRoleID",
+		vaultRootPaths,
-		"vaultAppRoleSecreId",
+		vaultAppRoleID,
-		"vaultServerUrl",
+		vaultAppRoleSecretID,
-		"vaultNamespace",
+		vaultServerUrl,
-		"vaultBasePath",
+		vaultNamespace,
-		"vaultPipelineName",
+		vaultBasePath,
-		"vaultPath",
+		vaultPipelineName,
-		"vaultTestCredentialEnvPrefix",
+		vaultPath,
-		"skipVault",
+		skipVault,
-		"vaultDisableOverwrite",
+		vaultDisableOverwrite,
 		vaultTestCredentialPath,
 		vaultTestCredentialKeys,
 	}
 
+	// VaultRootPaths are the lookup paths piper tries to use during the vault lookup.
+	// A path is only used if it's variables can be interpolated from the config
+	VaultRootPaths = []string{
+		"$(vaultPath)",
+		"$(vaultBasePath)/$(vaultPipelineName)",
+		"$(vaultBasePath)/GROUP-SECRETS",
+	}
+
 	// VaultSecretFileDirectory holds the directory for the current step run to temporarily store secret files fetched from vault
 	VaultSecretFileDirectory = ""
 )
@@ -51,9 +70,13 @@ type vaultClient interface {
 	MustRevokeToken()
 }
 
-func (s *StepConfig) mixinVaultConfig(configs ...map[string]interface{}) {
+func (s *StepConfig) mixinVaultConfig(parameters []StepParameters, configs ...map[string]interface{}) {
 	for _, config := range configs {
 		s.mixIn(config, vaultFilter)
+		// when an empty filter is returned we skip the mixin call since an empty filter will allow everything
+		if referencesFilter := getFilterForResourceReferences(parameters); len(referencesFilter) > 0 {
+			s.mixIn(config, referencesFilter)
+		}
 	}
 }
 
@@ -109,7 +132,7 @@ func resolveVaultReference(ref *ResourceReference, config *StepConfig, client va
 	}
 
 	var secretValue *string
-	for _, vaultPath := range ref.Paths {
+	for _, vaultPath := range getSecretReferencePaths(ref, config.Config) {
 		// it should be possible to configure the root path were the secret is stored
 		vaultPath, ok := interpolation.ResolveString(vaultPath, config.Config)
 		if !ok {
@@ -179,7 +202,7 @@ func populateTestCredentialsAsEnvs(config *StepConfig, secret map[string]string,
 
 	vaultTestCredentialEnvPrefix, ok := config.Config["vaultTestCredentialEnvPrefix"].(string)
 	if !ok || len(vaultTestCredentialEnvPrefix) == 0 {
-		vaultTestCredentialEnvPrefix = vaultTestCredentialEnvPrefix_Default
+		vaultTestCredentialEnvPrefix = vaultTestCredentialEnvPrefixDefault
 	}
 	for secretKey, secretValue := range secret {
 		for _, key := range keys {
@@ -284,3 +307,28 @@ func lookupPath(client vaultClient, path string, param *StepParameters) *string
 	}
 	return nil
 }
+
+func getSecretReferencePaths(reference *ResourceReference, config map[string]interface{}) []string {
+	retPaths := make([]string, 0, len(VaultRootPaths))
+	secretName := reference.Default
+	if providedName, ok := config[reference.Name].(string); ok && providedName != "" {
+		secretName = providedName
+	}
+	for _, rootPath := range VaultRootPaths {
+		fullPath := path.Join(rootPath, secretName)
+		retPaths = append(retPaths, fullPath)
+	}
+	return retPaths
+}
+
+func toStringSlice(interfaceSlice []interface{}) []string {
+	retSlice := make([]string, 0, len(interfaceSlice))
+	for _, vRaw := range interfaceSlice {
+		if v, ok := vRaw.(string); ok {
+			retSlice = append(retSlice, v)
+			continue
+		}
+		log.Entry().Warnf("'%s' needs to be of type string or an array of strings but got %T (%[2]v)", vaultPath, vRaw)
+	}
+	return retSlice
+}

pkg/config/vault_test.go

@@ -2,28 +2,44 @@ package config
 
 import (
 	"fmt"
+	"github.com/stretchr/testify/mock"
 	"io/ioutil"
 	"os"
+	"path"
 	"strings"
 	"testing"
 
 	"github.com/SAP/jenkins-library/pkg/config/mocks"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 )
 
 func TestVaultConfigLoad(t *testing.T) {
 	const secretName = "testSecret"
+	const secretNameOverrideKey = "mySecretVaultSecretName"
 	t.Parallel()
 	t.Run("Load secret from vault", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
+			"vaultPath": "team1",
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
 		vaultData := map[string]string{secretName: "value1"}
 
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil)
+		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
+		assert.Equal(t, "value1", stepConfig.Config[secretName])
+	})
+
+	t.Run("Load secret from vault with path override", func(t *testing.T) {
+		vaultMock := &mocks.VaultMock{}
+		stepConfig := StepConfig{Config: map[string]interface{}{
+			"vaultPath":           "team1",
+			secretNameOverrideKey: "overrideSecretName",
+		}}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
+		vaultData := map[string]string{secretName: "value1"}
+
+		vaultMock.On("GetKvSecret", path.Join("team1", "overrideSecretName")).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.Equal(t, "value1", stepConfig.Config[secretName])
 	})
@@ -31,13 +47,13 @@ func TestVaultConfigLoad(t *testing.T) {
 	t.Run("Secrets are not overwritten", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath":         "team1",
+			"vaultPath":             "team1",
 			secretName:              "preset value",
 			"vaultDisableOverwrite": true,
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
 		vaultData := map[string]string{secretName: "value1"}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 
 		assert.Equal(t, "preset value", stepConfig.Config[secretName])
@@ -46,12 +62,12 @@ func TestVaultConfigLoad(t *testing.T) {
 	t.Run("Secrets can be overwritten", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
+			"vaultPath": "team1",
-			secretName:      "preset value",
+			secretName:  "preset value",
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
 		vaultData := map[string]string{secretName: "value1"}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 
 		assert.Equal(t, "value1", stepConfig.Config[secretName])
@@ -60,10 +76,10 @@ func TestVaultConfigLoad(t *testing.T) {
 	t.Run("Error is passed through", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
+			"vaultPath": "team1",
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(nil, fmt.Errorf("test"))
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(nil, fmt.Errorf("test"))
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.Len(t, stepConfig.Config, 1)
 	})
@@ -71,10 +87,10 @@ func TestVaultConfigLoad(t *testing.T) {
 	t.Run("Secret doesn't exist", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
+			"vaultPath": "team1",
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(nil, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(nil, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.Len(t, stepConfig.Config, 1)
 	})
@@ -83,13 +99,13 @@ func TestVaultConfigLoad(t *testing.T) {
 		aliasName := "alias"
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
+			"vaultPath": "team1",
 		}}
-		param := stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")
+		param := stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)
 		addAlias(&param, aliasName)
 		stepParams := []StepParameters{param}
 		vaultData := map[string]string{aliasName: "value1"}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.Equal(t, "value1", stepConfig.Config[secretName])
 	})
@@ -97,37 +113,23 @@ func TestVaultConfigLoad(t *testing.T) {
 	t.Run("Search over multiple paths", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
+			"vaultBasePath": "team2",
+			"vaultPath":     "team1",
 		}}
 		stepParams := []StepParameters{
-			stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA", "$(vaultBasePath)/pipelineB"),
+			stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName),
 		}
 		vaultData := map[string]string{secretName: "value1"}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(nil, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(nil, nil)
-		vaultMock.On("GetKvSecret", "team1/pipelineB").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team2/GROUP-SECRETS", secretName)).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.Equal(t, "value1", stepConfig.Config[secretName])
 	})
 
-	t.Run("Stop lookup when secret was found", func(t *testing.T) {
-		vaultMock := &mocks.VaultMock{}
-		stepConfig := StepConfig{Config: map[string]interface{}{
-			"vaultBasePath": "team1",
-		}}
-		stepParams := []StepParameters{
-			stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA", "$(vaultBasePath)/pipelineB"),
-		}
-		vaultData := map[string]string{secretName: "value1"}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
-		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
-		assert.Equal(t, "value1", stepConfig.Config[secretName])
-		vaultMock.AssertNotCalled(t, "GetKvSecret", "team1/pipelineB")
-	})
-
 	t.Run("No BasePath is stepConfig.Configured", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)}
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.Equal(t, nil, stepConfig.Config[secretName])
 		vaultMock.AssertNotCalled(t, "GetKvSecret", mock.AnythingOfType("string"))
@@ -136,14 +138,15 @@ func TestVaultConfigLoad(t *testing.T) {
 
 func TestVaultSecretFiles(t *testing.T) {
 	const secretName = "testSecret"
+	const secretNameOverrideKey = "mySecretVaultSecretName"
 	t.Run("Test Vault Secret File Reference", func(t *testing.T) {
 		vaultMock := &mocks.VaultMock{}
 		stepConfig := StepConfig{Config: map[string]interface{}{
 			"vaultPath": "team1",
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", "$(vaultPath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", secretNameOverrideKey, secretName)}
 		vaultData := map[string]string{secretName: "value1"}
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.NotNil(t, stepConfig.Config[secretName])
 		path := stepConfig.Config[secretName].(string)
@@ -161,10 +164,10 @@ func TestVaultSecretFiles(t *testing.T) {
 		stepConfig := StepConfig{Config: map[string]interface{}{
 			"vaultPath": "team1",
 		}}
-		stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", "$(vaultPath)/pipelineA")}
+		stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", secretNameOverrideKey, secretName)}
 		vaultData := map[string]string{secretName: "value1"}
 		assert.NoDirExists(t, VaultSecretFileDirectory)
-		vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil)
+		vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil)
 		resolveAllVaultReferences(&stepConfig, vaultMock, stepParams)
 		assert.NotNil(t, stepConfig.Config[secretName])
 		path := stepConfig.Config[secretName].(string)
@@ -191,7 +194,7 @@ func TestMixinVault(t *testing.T) {
 		"unknownConfig":  "test",
 	}
 
-	config.mixinVaultConfig(general, steps)
+	config.mixinVaultConfig(nil, general, steps)
 
 	assert.Contains(t, config.Config, "vaultServerUrl")
 	assert.Equal(t, vaultServerUrl, config.Config["vaultServerUrl"])
@@ -201,14 +204,15 @@ func TestMixinVault(t *testing.T) {
 
 }
 
-func stepParam(name string, refType string, refPaths ...string) StepParameters {
+func stepParam(name, refType, vaultSecretNameProperty, defaultSecretNameName string) StepParameters {
 	return StepParameters{
 		Name:    name,
 		Aliases: []Alias{},
 		ResourceRef: []ResourceReference{
 			{
-				Type:  refType,
+				Type:    refType,
-				Paths: refPaths,
+				Name:    vaultSecretNameProperty,
+				Default: defaultSecretNameName,
 			},
 		},
 	}

pkg/documentation/generator/parameters.go

@@ -2,6 +2,7 @@ package generator
 
 import (
 	"fmt"
+	"path"
 	"sort"
 	"strings"
 
@@ -271,8 +272,8 @@ func addVaultResourceDetails(resource config.ResourceReference, resourceDetails
 	if resource.Type == "vaultSecret" {
 		resourceDetails += "<br/>Vault paths: <br />"
 		resourceDetails += "<ul>"
-		for _, path := range resource.Paths[0:1] {
+		for _, rootPath := range config.VaultRootPaths {
-			resourceDetails += fmt.Sprintf("<li>`%s`</li>", path)
+			resourceDetails += fmt.Sprintf("<li>`%s`</li>", path.Join(rootPath, resource.Default))
 		}
 		resourceDetails += "</ul>"
 	}

pkg/generator/helper/helper.go

@@ -172,11 +172,11 @@ func {{.FlagsFunc}}(cmd *cobra.Command, stepConfig *{{.StepName}}Options) {
 								{{- if .Param }}
 								Param: "{{ .Param }}",
 								{{- end }}
-								{{- if  gt (len .Paths) 0 }}
-								Paths:  []string{{ "{" }}{{ range $_, $path := .Paths }}"{{$path}}",{{ end }}{{"}"}},
-								{{- end }}
 								{{- if .Type }}
 								Type: "{{ .Type }}",
+								{{- if .Default }}
+								Default: "{{ .Default }}",
+								{{- end}}
 								{{- end }}
 							{{ "}" }},
 							{{- nindent 24 ""}}

resources/metadata/abapEnvironmentCreateSystem.yaml

@@ -39,10 +39,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            name: cloudfoundryVaultSecretName
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: password
         type: string
         description: Password for Cloud Foundry User
@@ -57,10 +55,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            name: cloudfoundryVaultSecretName
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: cfOrg
         type: string
         description: Cloud Foundry org

resources/metadata/checkmarx.yaml

@@ -95,10 +95,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            name: checkmarxVaultSecretName
-              - $(vaultPath)/checkmarx
+            default: checkmarx
-              - $(vaultBasePath)/$(vaultPipelineName)/checkmarx
-              - $(vaultBasePath)/GROUP-SECRETS/checkmarx
       - name: preset
         type: string
         description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId`
@@ -177,10 +175,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            name: checkmarxVaultSecretName
-              - $(vaultPath)/checkmarx
+            default: checkmarx
-              - $(vaultBasePath)/$(vaultPipelineName)/checkmarx
-              - $(vaultBasePath)/GROUP-SECRETS/checkmarx
       - name: verifyOnly
         type: bool
         description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle

resources/metadata/cloudFoundryCreateService.yaml

@@ -47,10 +47,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            name: cloudfoundryVaultSecretName
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: password
         type: string
         description: Password for Cloud Foundry User
@@ -65,10 +63,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: cfOrg
         type: string
         description: Cloud Foundry org

resources/metadata/cloudFoundryCreateServiceKey.yaml

@@ -35,10 +35,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: password
         type: string
         description: User Password for CF User
@@ -53,10 +51,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: cfOrg
         type: string
         description: CF org

resources/metadata/cloudFoundryDeleteService.yaml

@@ -35,10 +35,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: password
         type: string
         description: User Password for CF User
@@ -53,10 +51,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: cfOrg
         type: string
         description: CF org

resources/metadata/cloudFoundryDeploy.yaml

@@ -321,10 +321,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
       - name: smokeTestScript
         type: string
         description:
@@ -376,10 +374,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            default: cloudfoundry-$(org)-$(space)
-              - $(vaultPath)/cloudfoundry-$(org)-$(space)
+            name: cloudfoundryVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)
-              - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)
   containers:
     - name: cfDeploy
       image: ppiper/cf-cli:6

resources/metadata/detect.yaml

@@ -35,10 +35,8 @@ spec:
           - name: detectTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            name: detectVaultSecretName
-              - $(vaultPath)/detect
+            default: detect
-              - $(vaultBasePath)/$(vaultPipelineName)/detect
-              - $(vaultBasePath)/GROUP-SECRETS/detect
         scope:
           - PARAMETERS
           - STAGES

resources/metadata/fortify.yaml

@@ -57,10 +57,8 @@ spec:
           - name: fortifyCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            name: fortifyVaultSecretName
-              - $(vaultPath)/fortify
+            default: fortify
-              - $(vaultBasePath)/$(vaultPipelineName)/fortify
-              - $(vaultBasePath)/GROUP-SECRETS/fortify
       - name: buildDescriptorExcludeList
         type: "[]string"
         description: "List of build descriptors and therefore modules to exclude from the scan and assessment activities."
@@ -97,10 +95,8 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github
       - name: autoCreate
         type: bool
         description:

resources/metadata/githubbranchprotection.yaml

@@ -97,7 +97,5 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github

resources/metadata/githubcommentissue.yaml

@@ -84,7 +84,5 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github

resources/metadata/githubcreateissue.yaml

@@ -89,7 +89,5 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github

resources/metadata/githubcreatepr.yaml

@@ -118,10 +118,8 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github
       - name: labels
         description: Labels to be added to the pull request.
         scope:

resources/metadata/githubrelease.yaml

@@ -146,10 +146,8 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github
       - name: uploadUrl
         aliases:
           - name: githubUploadUrl

resources/metadata/githubstatus.yaml

@@ -119,7 +119,5 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            default: github
-              - $(vaultPath)/github
+            name: githubVaultSecretName
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github

resources/metadata/influx.yaml

@@ -32,10 +32,8 @@ spec:
           - name: influxAuthTokenId
             type: secret
           - type: vaultSecret
-            paths:
+            name: influxVaultSecretName
-              - $(vaultPath)/influxdb
+            default: influxdb
-              - $(vaultBasePath)/$(vaultPipelineName)/influxdb
-              - $(vaultBasePath)/GROUP-SECRETS/influxdb
       - name: bucket
         type: string
         description: Name of database (1.8) or bucket (2.0)

resources/metadata/kaniko.yaml

@@ -100,10 +100,8 @@ spec:
           - name: dockerConfigJsonCredentialsId
             type: secret
           - type: vaultSecretFile
-            paths:
+            name: dockerConfigFileVaultSecretName
-              - $(vaultPath)/docker-config
+            default: docker-config
-              - $(vaultBasePath)/$(vaultPipelineName)/docker-config
-              - $(vaultBasePath)/GROUP-SECRETS/docker-config
       - name: dockerfilePath
         aliases:
           - name: dockerfile

resources/metadata/kubernetesdeploy.yaml

@@ -245,10 +245,8 @@ spec:
           - name: kubeConfigFileCredentialsId
             type: secret
           - type: vaultSecretFile
-            paths:
+            name: kubeConfigFileSecretName
-              - $(vaultPath)/kube-config
+            default: kube-config
-              - $(vaultBasePath)/$(vaultPipelineName)/kube-config
-              - $(vaultBasePath)/GROUP-SECRETS/kube-config
       - name: kubeContext
         type: string
         description: Defines the context to use from the \"kubeconfig\" file.
@@ -300,10 +298,7 @@ spec:
           - name: dockerConfigJsonCredentialsId
             type: secret
           - type: vaultSecretFile
-            paths:
+            name: dockerConfigFileVaultSecretName
-              - $(vaultPath)/docker-config
-              - $(vaultBasePath)/$(vaultPipelineName)/docker-config
-              - $(vaultBasePath)/GROUP-SECRETS/docker-config
   containers:
     - image: dtzar/helm-kubectl:3.4.1
       workingDir: /config

resources/metadata/mavenBuild.yaml

@@ -115,10 +115,8 @@ spec:
           - name: altDeploymentRepositoryPasswordId
             type: secret
           - type: vaultSecretFile
-            paths:
+            name: altDeploymentRepositoryPasswordFileVaultSecretName
-              - $(vaultPath)/alt-deployment-repository-passowrd
+            default: alt-deployment-repository-passowrd
-              - $(vaultBasePath)/$(vaultPipelineName)/alt-deployment-repository-passowrd
-              - $(vaultBasePath)/GROUP-SECRETS/alt-deployment-repository-passowrd
       - name: altDeploymentRepositoryUser
         type: string
         description: User for the alternative deployment repository to which the project artifacts should be deployed ( other than those specified in <distributionManagement> ). This user will be updated in settings.xml . When no settings.xml is provided a new one is created corresponding with <servers> tag

resources/metadata/protecode.yaml

@@ -75,10 +75,8 @@ spec:
           - name: dockerConfigJsonCredentialsId
             type: secret
           - type: vaultSecretFile
-            paths:
+            name: dockerConfigFileVaultSecretName
-              - $(vaultPath)/docker-config
+            default: docker-config
-              - $(vaultBasePath)/$(vaultPipelineName)/docker-config
-              - $(vaultBasePath)/GROUP-SECRETS/docker-config
       - name: cleanupMode
         type: string
         description: Decides which parts are removed from the Protecode backend after the scan
@@ -187,10 +185,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            name: protecodeVaultSecretName
-              - $(vaultPath)/protecode
+            default: protecode
-              - $(vaultBasePath)/$(vaultPipelineName)/protecode
-              - $(vaultBasePath)/GROUP-SECRETS/protecode
       - name: password
         type: string
         description: Password which is used for the user
@@ -205,10 +201,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            name: protecodeVaultSecretName
-              - $(vaultPath)/protecode
+            default: protecode
-              - $(vaultBasePath)/$(vaultPipelineName)/protecode
-              - $(vaultBasePath)/GROUP-SECRETS/protecode
       - name: version
         aliases:
           - name: artifactVersion

resources/metadata/sonar.yaml

@@ -42,10 +42,8 @@ spec:
         secret: true
         resourceRef:
           - type: vaultSecret
-            paths:
+            name: sonarSecretName
-              - $(vaultPath)/sonar
+            default: sonar
-              - $(vaultBasePath)/$(vaultPipelineName)/sonar
-              - $(vaultBasePath)/GROUP-SECRETS/sonar
           - name: sonarTokenCredentialsId
             type: secret
         aliases:
@@ -226,10 +224,8 @@ spec:
           - name: githubTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            name: githubVaultSecretName
-              - $(vaultPath)/github
+            default: github
-              - $(vaultBasePath)/$(vaultPipelineName)/github
-              - $(vaultBasePath)/GROUP-SECRETS/github
       - name: disableInlineComments
         type: bool
         description: "Pull-Request only: Disables the pull-request decoration with inline comments.

resources/metadata/terraformExecute.yaml

@@ -21,10 +21,8 @@ spec:
         type: string
         resourceRef:
           - type: vaultSecretFile
-            paths:
+            name: terraformExecuteFileVaultSecret
-              - $(vaultPath)/terraformExecute
+            default: terraformExecute
-              - $(vaultBasePath)/$(vaultPipelineName)/terraformExecute
-              - $(vaultBasePath)/GROUP-SECRETS/terraformExecute
       - name: additionalArgs
         type: "[]string"
         scope:

resources/metadata/vaultRotateSecretId.yaml

@@ -26,10 +26,8 @@ spec:
         secret: true
         resourceRef:
           - type: vaultSecret
-            paths:
+            name: jenkinsVaultSecret
-              - $(vaultPath)/jenkins
+            default: jenkins
-              - $(vaultBasePath)/$(vaultPipelineName)/jenkins
-              - $(vaultBasePath)/GROUP-SECRETS/jenkins
         aliases:
           - name: url
       - name: jenkinsCredentialDomain
@@ -52,10 +50,8 @@ spec:
           - name: userId
         resourceRef:
           - type: vaultSecret
-            paths:
+            name: jenkinsVaultSecret
-              - $(vaultPath)/jenkins
+            default: jenkins
-              - $(vaultBasePath)/$(vaultPipelineName)/jenkins
-              - $(vaultBasePath)/GROUP-SECRETS/jenkins
       - name: jenkinsToken
         type: string
         description: "The jenkins token"
@@ -68,10 +64,8 @@ spec:
           - name: token
         resourceRef:
           - type: vaultSecret
-            paths:
+            name: jenkinsVaultSecret
-              - $(vaultPath)/jenkins
+            default: jenkins
-              - $(vaultBasePath)/$(vaultPipelineName)/jenkins
-              - $(vaultBasePath)/GROUP-SECRETS/jenkins
       - name: vaultAppRoleSecretTokenCredentialsId
         type: string
         description: The Jenkins credential ID or Azure DevOps variable name for the Vault AppRole Secret ID credential

resources/metadata/versioning.yaml

@@ -198,10 +198,8 @@ spec:
             type: secret
             param: password
           - type: vaultSecret
-            paths:
+            name: gitHttpsCredentialVaultSecretName
-              - $(vaultPath)/gitHttpsCredential
+            default: gitHttpsCredential
-              - $(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential
-              - $(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential
       - name: projectSettingsFile
         aliases:
           - name: maven/projectSettingsFile
@@ -247,10 +245,8 @@ spec:
             type: secret
             param: username
           - type: vaultSecret
-            paths:
+            name: gitHttpsCredentialVaultSecretName
-              - $(vaultPath)/gitHttpsCredential
+            default: gitHttpsCredential
-              - $(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential
-              - $(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential
       - name: versioningTemplate
         type: string
         description: "DEPRECATED: Defines the template for the automatic version which will be created"

resources/metadata/whitesource.yaml

@@ -360,10 +360,8 @@ spec:
           - name: userTokenCredentialsId
             type: secret
           - type: vaultSecret
-            paths:
+            name: whitesourceVaultSecret
-              - $(vaultPath)/whitesource
+            default: whitesource
-              - $(vaultBasePath)/$(vaultPipelineName)/whitesource
-              - $(vaultBasePath)/GROUP-SECRETS/whitesource
       - name: versioningModel
         type: string
         description: "The default project versioning model used in case `projectVersion` parameter is