Add SSH secret backend CA resource #163
Conversation
ghost
added
the
arnogeurts
force-pushed
the
ssh-secret-backend-ca
branch
from
711dc60
to
fef32b3
Compare
There was a problem hiding this comment.
@arnogeurts thanks for this contribution, it's very helpful! The code looks great, just needs master merged in and a couple minor tweaks due to the way the parameters are handled in Vault.
| generateSigningKey := d.Get("generate_signing_key").(bool) | ||
|
|
||
| data := map[string]interface{}{ | ||
| "generate_signing_key": generateSigningKey, |
There was a problem hiding this comment.
I was looking at the code this feeds into here and it actually behaves differently based on whether the generate_signing_key flag was explicitly set to false or simply omitted. So, I think that for this code to behave as expected, we would probably want to only include this flag if it were set.
That would mean that above, we'd want to do:
generateSigningKey, ok := d.Get("generate_signing_key").(bool)
if ok {
data["generate_signing_key"] = generateSigningKey
}
There was a problem hiding this comment.
@tyrannosaurus-becks thank you very much for your feedback. I added the conditional check to the generate_signing_key property, as suggested above.
| data := map[string]interface{}{ | ||
| "generate_signing_key": generateSigningKey, | ||
| } | ||
| if !generateSigningKey { |
There was a problem hiding this comment.
I think that this if shouldn't exist so the code linked above will be fed the way it wants to be.
There was a problem hiding this comment.
I removed this check, so all values are provided to the Vault API if they are provided in the configuration. The Vault API / SDK can decide on whether a given configuration is correct.
| privateKey := d.Get("private_key").(string) | ||
| publicKey := d.Get("public_key").(string) | ||
| if privateKey == "" || publicKey == "" { | ||
| return fmt.Errorf("When generate_signing_key is false, both public_key and private_keys should be specified") |
There was a problem hiding this comment.
Is this error needed in light of how the code linked above actually does allow this case?
It's useful, though, because we'd only want to populate the public and private key if they were actually provided, in this particular case.
There was a problem hiding this comment.
See previous comment.
…d-ca # Conflicts: # vault/provider.go # website/vault.erb
+ removed context based checks
Add SSH secret backend CA resource
This pull request partly implements #104
It can be used to provision Vault as a certificate authority:
https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html