Add support for Vault KVv2 backends

refs Luzifer#9 Signed-off-by: Knut Ahlers <[email protected]>
jasongwartz · Feb 14, 2019 · 5edcfdb · 5edcfdb
1 parent 0285eef
commit 5edcfdb
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -127,3 +127,14 @@ $ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io
 # for the client config
 $ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
 ```
+
+Pay attention when using a **Vault KV v2 backend**: You need to specify the path slighty different and use `vault-openvpn` v1.9.0 and above.
+
+```console
+$ openvpn --genkey --secret openvpn.key
+$ vault kv put secret/vault-openvpn/ovpn [email protected]
+
+$ vault-openvpn --auto-revoke --ovpn-key secret/data/vault-openvpn/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
+```
+
+Mind the additional `/data` added inside the key directly after the mount. This is required due to the differences in API methods between the KV v1 and v2 backends.
diff --git a/cmd/helpers.go b/cmd/helpers.go
@@ -13,10 +13,11 @@ import (
 	"text/template"
 	"time"
 
-	dhparam "github.com/Luzifer/go-dhparam"
 	"github.com/hashicorp/vault/api"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/viper"
+
+	dhparam "github.com/Luzifer/go-dhparam"
 )
 
 func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
@@ -53,7 +54,12 @@ func fetchOVPNKey() (string, error) {
 		return "", errors.New("Got no data from backend")
 	}
 
-	key, ok := secret.Data["key"]
+	dmap := secret.Data
+	if mapv2, ok := secret.Data["data"]; ok {
+		dmap = mapv2.(map[string]interface{})
+	}
+
+	key, ok := dmap["key"]
 	if !ok {
 		return "", errors.New("Within specified secret no entry named 'key' was found")
 	}