[Bug]: VAULT_TOKEN and TLS environment variables missing from config.json (cannot be set via docker plugin set)

[imran-techvoyager]

🐛 Bug Description

Several environment variables used by the Vault and OpenBao providers are read
in the Go code but are not declared in config.json. Since Docker plugins only
accept variables explicitly declared there, these cannot be set via
docker plugin set, making token auth and TLS impossible to configure through
the normal plugin interface.

Affected variables (read in code but absent from config.json):

• VAULT_TOKEN (vault.go:37)
• VAULT_CACERT (vault.go:42)
• VAULT_CLIENT_CERT (vault.go:43)
• VAULT_CLIENT_KEY (vault.go:44)
• OPENBAO_CACERT (openbao.go:42)
• OPENBAO_CLIENT_CERT (openbao.go:43)
• OPENBAO_CLIENT_KEY (openbao.go:44)

Similar in nature to #26, where MONITORING_PORT and ENABLE_MONITORING were
missing from config.json.

---

🔁 Steps to Reproduce

1. Install and configure the plugin with SECRETS_PROVIDER=vault
2. Run: docker plugin set YOUR_PLUGIN_NAME VAULT_TOKEN=mytoken
3. Enable the plugin: docker plugin enable YOUR_PLUGIN_NAME
4. Attempt to retrieve a secret from Vault using token authentication

---

✅ Expected Behavior

The VAULT_TOKEN value is passed into the plugin runtime and used by the Vault
provider to authenticate.

---

❌ Actual Behavior

Docker silently ignores the VAULT_TOKEN value because it is not declared in
config.json. The Vault provider receives an empty token and authentication fails.

---

🧪 Reproducibility

• Always
• Sometimes
• Rarely
• Unable to reproduce

---

📸 Screenshots / Logs

Logs

# providers/vault.go:37 reads VAULT_TOKEN:
Token: getConfigOrDefault(config, "VAULT_TOKEN", "hvs.xxx")

# config.json env array — VAULT_TOKEN is absent.
# Only VAULT_ADDR, VAULT_AUTH_METHOD, VAULT_ROLE_ID,
# VAULT_SECRET_ID, VAULT_MOUNT_PATH are declared.

[sanjay7178]

@imran-techvoyager it seems you're not following the actual bug template and again you've inserted markdown in a markdown

[ayushk687]

@sanzoghenzo please assign this issue me

[sanzoghenzo]

@sanzoghenzo please assign this issue me

I'm not a maintainer, just a contributor 😉

[sanjay7178]

@imran-techvoyager when i was making this plugin , I didn't implemented TLS/SSL : CLIENT_CERT CLIENT_KEY and CACERT in both vault and openbao , because of my main goal is to get plugin working . But the problem is CLIENT_CERT CLIENT_KEY and CACERT are long string credentials and difficult to pass through them in a plugin environment .

We need to check any possibility of simplify these credentials to put into plugin to get started , also to make Token Based Auth as by default and TLS/SSL Auth as optional .

[sanjay7178]

cc @sanzoghenzo @Sarath191181208

@imran-techvoyager when i was making this plugin , I didn't implemented TLS/SSL : CLIENT_CERT CLIENT_KEY and CACERT in both vault and openbao , because of my main goal is to get plugin working . But the problem is CLIENT_CERT CLIENT_KEY and CACERT are long string credentials and difficult to pass through them in a plugin environment .

We need to check any possibility of simplify these credentials to put into plugin to get started , also to make Token Based Auth as by default and TLS/SSL Auth as optional .

[imran-techvoyager]

Thanks for the clarification @sanjay7178 , that makes sense.

The TLS cert variables being large multi-line values definitely makes them awkward to pass through plugin env vars.

One small improvement we could still make is adding VAULT_TOKEN to config.json. Since it’s just a short single-line value, it wouldn’t have the same complexity as certificate material and would enable the common token-auth path immediately.

TLS could remain optional for now and be handled separately later (for example via file paths or mounts rather than passing cert content directly).

If that approach sounds reasonable, I’d be happy to open a small PR adding VAULT_TOKEN to config.json so token-based auth works through docker plugin set.

[sanjay7178]

See in config.json VAULT_TOKEN is already present , you might didn't look into it clearly , and VAULT_TOKEN is a part of token auth not SSL .

[sanjay7178]

Token auth is already present

[imran-techvoyager]

@sanjay7178 you are right, my mistake. I was looking at an outdated copy of config.json in a local fork that was behind main, so I missed the existing VAULT_TOKEN entry.

After syncing with upstream I can see that VAULT_TOKEN is already defined. Thanks for pointing that out.