1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-12-25 22:31:20 +00:00

Add support for Vault KVv2 backends

refs #9

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2019-02-14 23:02:17 +01:00
parent 0285eefd46
commit 5edcfdb900
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
2 changed files with 19 additions and 2 deletions

View file

@ -127,3 +127,14 @@ $ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io
# for the client config # for the client config
$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io $ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
``` ```
Pay attention when using a **Vault KV v2 backend**: You need to specify the path slighty different and use `vault-openvpn` v1.9.0 and above.
```console
$ openvpn --genkey --secret openvpn.key
$ vault kv put secret/vault-openvpn/ovpn key=@openvpn.key
$ vault-openvpn --auto-revoke --ovpn-key secret/data/vault-openvpn/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
```
Mind the additional `/data` added inside the key directly after the mount. This is required due to the differences in API methods between the KV v1 and v2 backends.

View file

@ -13,10 +13,11 @@ import (
"text/template" "text/template"
"time" "time"
dhparam "github.com/Luzifer/go-dhparam"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"github.com/spf13/viper" "github.com/spf13/viper"
dhparam "github.com/Luzifer/go-dhparam"
) )
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) { func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
@ -53,7 +54,12 @@ func fetchOVPNKey() (string, error) {
return "", errors.New("Got no data from backend") return "", errors.New("Got no data from backend")
} }
key, ok := secret.Data["key"] dmap := secret.Data
if mapv2, ok := secret.Data["data"]; ok {
dmap = mapv2.(map[string]interface{})
}
key, ok := dmap["key"]
if !ok { if !ok {
return "", errors.New("Within specified secret no entry named 'key' was found") return "", errors.New("Within specified secret no entry named 'key' was found")
} }