[FEATURE REQUEST] Create separate metadata keys of composite values

[lkubb]

Is your feature request related to a problem? Please describe.
Entity (and secret) metadata is the only place where expanded templates are not treated as lists since Vault only allows string-valued metadata. This string value is currently made deterministic by converting it into a sorted comma-separated list.

The current situation does not allow to (reliably) use this kind of metadata in templated policies.

Describe the solution you'd like
A workaround proposed in #104 would make this somewhat workable:

Assuming the following master configuration:

vault:
  metadata:
    entity:
      roles: '{pillar[roles]}'

On a minion with pillar[roles] == [web, db], in addition to populating roles with db,web, create suffixed variants containing individual roles: roles__0 == db, roles__1 == web.

Then, a templated policy needs to repeat the path and assignment up to the number of supported roles per minion:

# This policy respects 3 different roles per minion at most
path "salt/data/roles/{{identity.entity.metadata.roles__0}}" {
    capabilities = ["read"]
}
path "salt/data/roles/{{identity.entity.metadata.roles__1}}" {
    capabilities = ["read"]
}
path "salt/data/roles/{{identity.entity.metadata.roles__2}}" {
    capabilities = ["read"]
}
# ...

The minion in this situation would be assigned read access to both

• salt/data/roles/db (via salt/data/roles/{{identity.entity.metadata.roles__0}}) and
• salt/data/roles/web} via (salt/data/roles/{{identity.entity.metadata.roles__1}}).

Describe alternatives you've considered
Template policies:assign instead and manually create the necessary policies.