Comcast
diff --git a/‎.github/workflows/tag.yml
+2-2 b/‎.github/workflows/tag.yml
+2-2
diff --git a/‎Makefile
+1-2 b/‎Makefile
+1-2
diff --git a/‎README.md
+59-43 b/‎README.md
+59-43
@@ -26,10 +26,10 @@ jobs:
           body: GitHub Actions Release
           draft: false
           prerelease: false
-      - name: Set up Go 1.16
+      - name: Set up Go 1.21
         uses: actions/setup-go@v1
         with:
-          go-version: 1.16
+          go-version: 1.21
         id: go
       - name: Check out new tag into the Go module directory
         uses: actions/checkout@v2
 
@@ -6,8 +6,7 @@ PROJECT_NAME := buildenv
 all: clean build-deps build
 
 build-deps:
-	go get github.com/mitchellh/gox
-	go get github.com/aktau/github-release
+	go install github.com/mitchellh/gox@latest
 
 build:
 	CGO_ENABLED=0 gox -ldflags "-X main.version=$(VERSION)" -osarch="darwin/amd64 darwin/arm64 linux/386 linux/amd64 linux/arm linux/arm64 windows/386 windows/amd64" -output "pkg/{{.OS}}_{{.Arch}}/$(PROJECT_NAME)"
 
@@ -1,63 +1,74 @@
 buildenv
 ========
 
-A tool for generating environment exports from a YAML file. _Now with vault integration!_
+A tool for generating environment exports from a YAML file. Variables can be set in plain test, or by specifying vault key-value (version 2) paths and keys (`kv_secrets`) or the older generic / kv paths (`secrets`) where the key name "value" is assumed.
 
 Usage
 -----
 
 Given a `variables.yml` file like this:
 ```yaml
 ---
-  vars:
-    GLOBAL: "global"
-
-  secrets:
-    SECRET_TEST: "secret/test"
-
-  environments:
-    stage:
-      vars:
-        ENVIRONMENT: "stage"
-
-      secrets:
-        ANOTHER_SECRET: "secret/test2"
-
-      dcs:
-        ndc_one:
-          secrets:
-            YET_ANOTHER_SECRET: "secret/test3"
-          vars:
-            DC: "one"
-
-        ndc_two:
-          secrets:
-            YET_ANOTHER_SECRET: "secret/test3"
-          vars:
-            DC: "one"
+vars:
+  GLOBAL: "global"
+
+secrets:
+  GENERIC_SECRET: "gen/test"
+  KV_SECRET: "old/test"
+  KV2_SECRET: "secret/oldstyle"
+
+kv_secrets:
+  - path: "secret/test"
+    vars:
+      KV2_ONE: "one"
+      KV2_TWO: "two"
+  - path: "old/test"
+    vars:
+      KV1: "value"
+  - path: "gen/test"
+    vars:
+      KV_GENERIC: "value"
+
+environments:
+  stage:
+    vars:
+      ENVIRONMENT: "stage"
+
+    secrets:
+      ANOTHER_SECRET: "secret/oldstyle"
+
+    dcs:
+      ndc_one:
+        vars:
+          DC: "one"
+        kv_secrets:
+          - path: "old/test"
+            vars:
+              KV2_THREE: "three"
 ```
 
 Output would look like this:
 
 ```
-% buildenv -e stage -d ndc_one
-# Setting Variables for:
-# Environment: stage
-# Datacenter: ndc_one
-# Global Vars:
+% buildenv -c -e stage -d ndc_one
+# Global Variables
 export GLOBAL="global"
-# Global Secrets:
-export SECRET_TEST="It Works" # secret/test
-# Environment (stage) Vars:
+export KV2_ONE="1" # Path: secret/test, Key: one
+export KV2_TWO="2" # Path: secret/test, Key: two
+export KV1="old" # Path: old/test, Key: value
+export KV_GENERIC="generic" # Path: gen/test, Key: value
+export GENERIC_SECRET="generic" # Path: gen/test, Key: value
+export KV_SECRET="old" # Path: old/test, Key: value
+export KV2_SECRET="default" # Path: secret/oldstyle, Key: value
+# Environment: stage
 export ENVIRONMENT="stage"
-# Environment (stage) Secrets:
-export ANOTHER_SECRET="It Still Works" # secret/test
-# Datacenter (ndc_one) Specific Vars:
-YET_ANOTHER_SECRET: "secretpassword"
+export ANOTHER_SECRET="default" # Path: secret/oldstyle, Key: value
+# Datacenter: ndc_one
 export DC="one"
+export KV2_THREE="3" # Path: old/test, Key: three
 ```
 
-*A Note About Vault:* If you have `secrets` defined in either the global or environment scope, it's a mapping from environment variable to the path in vault. Buildenv uses all the standard vault environment variables to communicate with vault (`VAULT_ADDR` and `VAULT_TOKEN` being the two you're most likely to use.)
+*A Note About Vault:* If you have `secrets` defined in either the global or environment scope, it's a mapping from environment variable to the path in vault. Buildenv uses all the standard vault environment variables to communicate with vault (`VAULT_ADDR` and `VAULT_TOKEN` being the two you're most likely to use.) You can find the complete list [in the vault client docs](https://pkg.go.dev/github.com/hashicorp/vault-client-go@v0.4.2#WithEnvironment).
 
 Running on Linux or in Docker container
 ----------
@@ -73,8 +84,13 @@ To test with vault, run:
 docker-compose up vault -d
 export VAULT_ADDR="http://localhost:8200"
 export VAULT_TOKEN="test"
-vault write secret/test "value=It Works"
-vault write secret/test2 "value=It Still Works"
-buildenv -e stage
+vault secrets enable -path gen generic
+vault secrets enable -version=1 -path old kv
+vault kv put secret/test "one=1" "two=2"
+vault kv put secret/oldstyle "value=default"
+vault kv put old/test "value=old" "three=3"
+vault write gen/test "value=generic"
+
+buildenv -c -e stage -d ndc_one
 docker-compose down
 ```