From 61cc3f79ea00f936a799fb20ba7ee1f7804ea2f5 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 12 Sep 2025 22:30:05 +0200
Subject: [PATCH] AZKV: Also allow to omit version for AZKV keys specified in
 key groups.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 azkv/keysource.go      | 16 ++++++++++++----
 azkv/keysource_test.go |  4 ++--
 config/config.go       |  6 +++++-
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/azkv/keysource.go b/azkv/keysource.go
index b0ee33814..d6c69475a 100644
--- a/azkv/keysource.go
+++ b/azkv/keysource.go
@@ -64,9 +64,9 @@ type MasterKey struct {
 	clientOptions *azkeys.ClientOptions
 }
 
-// NewMasterKey creates a new MasterKey from a URL, key name and version,
+// newMasterKey creates a new MasterKey from a URL, key name and version,
 // setting the creation date to the current date.
-func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey {
+func newMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey {
 	return &MasterKey{
 		VaultURL:     vaultURL,
 		Name:         keyName,
@@ -75,6 +75,14 @@ func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey
 	}
 }
 
+// NewMasterKey creates a new MasterKey from a URL, key name and (optional) version,
+// setting the creation date to the current date.
+func NewMasterKey(vaultURL string, keyName string, keyVersion string) (*MasterKey, error) {
+	key := newMasterKey(vaultURL, keyName, keyVersion)
+	err := key.ensureKeyHasVersion(context.Background())
+	return key, err
+}
+
 // NewMasterKeyFromURL takes an Azure Key Vault key URL, and returns a new
 // MasterKey. The URL format is {vaultUrl}/keys/{keyName}/{keyVersion}.
 func NewMasterKeyFromURL(url string) (*MasterKey, error) {
@@ -88,9 +96,9 @@ func NewMasterKeyFromURL(url string) (*MasterKey, error) {
 	// version of the key. We need to put the actual version in the sops metadata block though
 	var key *MasterKey
 	if len(parts[3]) > 1 {
-		key = NewMasterKey(parts[1], parts[2], parts[3][1:])
+		key = newMasterKey(parts[1], parts[2], parts[3][1:])
 	} else {
-		key = NewMasterKey(parts[1], parts[2], "")
+		key = newMasterKey(parts[1], parts[2], "")
 	}
 	err := key.ensureKeyHasVersion(context.Background())
 	return key, err
diff --git a/azkv/keysource_test.go b/azkv/keysource_test.go
index 5560e4be6..cc636f436 100644
--- a/azkv/keysource_test.go
+++ b/azkv/keysource_test.go
@@ -181,7 +181,7 @@ func TestMasterKey_EncryptIfNeeded(t *testing.T) {
 }
 
 func TestMasterKey_NeedsRotation(t *testing.T) {
-	key := NewMasterKey("", "", "")
+	key := newMasterKey("", "", "")
 	assert.False(t, key.NeedsRotation())
 
 	key.CreationDate = key.CreationDate.Add(-(azkvTTL + time.Second))
@@ -189,7 +189,7 @@ func TestMasterKey_NeedsRotation(t *testing.T) {
 }
 
 func TestMasterKey_ToString(t *testing.T) {
-	key := NewMasterKey("https://test.vault.azure.net", "key-name", "key-version")
+	key := newMasterKey("https://test.vault.azure.net", "key-name", "key-version")
 	assert.Equal(t, "https://test.vault.azure.net/keys/key-name/key-version", key.ToString())
 }
 
diff --git a/config/config.go b/config/config.go
index 025cc710c..6a617c06d 100644
--- a/config/config.go
+++ b/config/config.go
@@ -330,7 +330,11 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 		keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
 	}
 	for _, k := range group.AzureKV {
-		keyGroup = append(keyGroup, azkv.NewMasterKey(k.VaultURL, k.Key, k.Version))
+		if key, err := azkv.NewMasterKey(k.VaultURL, k.Key, k.Version); err == nil {
+			keyGroup = append(keyGroup, key)
+		} else {
+			return nil, err
+		}
 	}
 	for _, k := range group.Vault {
 		if masterKey, err := hcvault.NewMasterKeyFromURI(k); err == nil {