mali/ovpn-admin
1
0
Fork 0
mirror of https://github.com/flant/ovpn-admin.git synced 2026-02-04 09:12:13 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mali:1f705a2547bf75721be78c036eb22d08d26d8edd
Branches Tags
mali:master
mali:dependabot/go_modules/k8s.io/apimachinery-0.35.0
mali:dependabot/go_modules/k8s.io/client-go-0.35.0
mali:dependabot/github_actions/helm/chart-testing-action-2.8.0
mali:fix-easyrsa-build-client
mali:dependabot/go_modules/golang.org/x/net-0.38.0
mali:fix-easyrsa-prompt-2
mali:fix-easyrsa-prompt
mali:dependabot/npm_and_yarn/frontend/vue-3.0.0
mali:dependabot/docker/node-19-alpine3.15
mali:release-multiarch-fix
mali:release-multiarch
mali:multiplatform-and-staged-builds
mali:gh-pages
mali:housekeeping-ci-3
mali:housekeeping-ci-2
mali:housekeeping-ci-1
mali:renovate/node-18.x
mali:renovate/golang-1.x
mali:renovate/alpine-3.x
mali:renovate/pin-dependencies
mali:totp_auth-upd
mali:fix-revoke-user
mali:update-actions-build-binary
mali:multi-platform-build
mali:totp_auth
mali:update-user-list-in-ha-mode
mali:openvpn-admin-0.0.3
mali:openvpn-admin-0.0.2
mali:2.0.2
mali:2.0.2-rc1
mali:2.0.2-rc0
mali:2.1.0-rc0
mali:2.0.1
mali:2.0.0
mali:1.7.5
mali:1.7.4
mali:1.7.3
mali:1.7.2
mali:1.7.1
mali:1.7.0
mali:1.6.2
mali:1.6.1
mali:1.6
mali:1.5.1
mali:1.5.0
mali:1.4.1
mali:1.4.0
mali:1.3.2
mali:1.3.1
mali:1.3
mali:1.2
mali:1.1
mali:1.0
...
compare: mali:ce39aca32d18887744a659f260ca7b58a3fb4891
Branches Tags
mali:master
mali:dependabot/go_modules/k8s.io/apimachinery-0.35.0
mali:dependabot/go_modules/k8s.io/client-go-0.35.0
mali:dependabot/github_actions/helm/chart-testing-action-2.8.0
mali:fix-easyrsa-build-client
mali:dependabot/go_modules/golang.org/x/net-0.38.0
mali:fix-easyrsa-prompt-2
mali:fix-easyrsa-prompt
mali:dependabot/npm_and_yarn/frontend/vue-3.0.0
mali:dependabot/docker/node-19-alpine3.15
mali:release-multiarch-fix
mali:release-multiarch
mali:multiplatform-and-staged-builds
mali:gh-pages
mali:housekeeping-ci-3
mali:housekeeping-ci-2
mali:housekeeping-ci-1
mali:renovate/node-18.x
mali:renovate/golang-1.x
mali:renovate/alpine-3.x
mali:renovate/pin-dependencies
mali:totp_auth-upd
mali:fix-revoke-user
mali:update-actions-build-binary
mali:multi-platform-build
mali:totp_auth
mali:update-user-list-in-ha-mode
mali:openvpn-admin-0.0.3
mali:openvpn-admin-0.0.2
mali:2.0.2
mali:2.0.2-rc1
mali:2.0.2-rc0
mali:2.1.0-rc0
mali:2.0.1
mali:2.0.0
mali:1.7.5
mali:1.7.4
mali:1.7.3
mali:1.7.2
mali:1.7.1
mali:1.7.0
mali:1.6.2
mali:1.6.1
mali:1.6
mali:1.5.1
mali:1.5.0
mali:1.4.1
mali:1.4.0
mali:1.3.2
mali:1.3.1
mali:1.3
mali:1.2
mali:1.1
mali:1.0

11 Commits
1f705a2547 ... ce39aca32d

Author SHA1 Message Date
Maksim Nabokikh
ce39aca32d
Merge cedc2a94ecb3d2066eb6d72c353a02ee9b682917 into a2c41756a56eeb7c09a270700672a4154645cbc6 2025-03-03 21:11:47 +00:00
maksim.nabokikh
cedc2a94ec Fix env variables 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 22:11:41 +01:00
maksim.nabokikh
da82b6e9b2 Disable buildah 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 22:08:18 +01:00
maksim.nabokikh
2e526b7570 Make workflow prettier 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 22:06:02 +01:00
maksim.nabokikh
38ed4afcb4 Migrate to jq 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 21:59:38 +01:00
maksim.nabokikh
a6baacd57f Migrate to jq 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 21:12:23 +01:00
maksim.nabokikh
0ba9eba9ba Migrate to jq 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 21:00:46 +01:00
maksim.nabokikh
79ae6270d2 Fix env variables 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 20:39:01 +01:00
maksim.nabokikh
5722b2aec8 Fix actions file 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 20:36:57 +01:00
maksim.nabokikh
1fae52e85c Try using werf 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
 2025-03-03 20:33:57 +01:00
Paramoshka
a2c41756a5
Added the ability to set the validity period of the client certificate. (#301) 
Signed-off-by: Paramoshka <parfenov_ivan_42a@mail.ru>
 2025-03-03 13:45:33 +01:00
5 changed files with 41 additions and 41 deletions
Show Stats Expand all files Collapse all files

2
.github/dependabot.yml vendored
View File

@ -12,7 +12,7 @@ updates:
schedule: schedule:
interval: "weekly" interval: "weekly"
# Dependencies listed in Dockerfile.ovpn-admin # Dependencies listed in Dockerfile
- package-ecosystem: "docker" - package-ecosystem: "docker"
directory: "/" directory: "/"
schedule: schedule:

59
.github/workflows/publish-tag.yaml vendored
View File

@ -9,16 +9,14 @@ on:
branches: branches:
- master - master
env:
WERF_STAGED_DOCKERFILE_VERSION: v2
# WERF_BUILDAH_MODE: auto
jobs: jobs:
build: build:
name: build images for tag name: build images for tag
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- name: ovpn-admin
- name: openvpn
steps: steps:
- name: Checkout code - name: Checkout code
@ -26,40 +24,29 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Get the version - uses: werf/actions/install@v1.2
id: get_version
run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
- name: Set up Docker Buildx - name: Login into ghcr.io
uses: docker/setup-buildx-action@v2 shell: bash
run: werf cr login -u ${{ github.actor }} -p ${{ github.token }} ghcr.io/${{ github.repository }}
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata - name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5.6.1 uses: docker/metadata-action@v5.6.1
with: with:
images: ghcr.io/${{ github.repository }}/${{ matrix.name }} images: ghcr.io/${{ github.repository }}/${{ matrix.name }}
# Build and push Docker image with Buildx (don't push on PR) - name: Build Image
# https://github.com/docker/build-push-action if: ${{ github.event_name == 'pull_request' }}
- name: Push Image run: |
uses: docker/build-push-action@v4 source "$(werf ci-env github --as-file)"
with: source <(jq -r '.labels | to_entries | to_entries[] | "export WERF_EXPORT_ADD_LABEL_\(.key)=\"\(.value.key)=\(.value.value)\""' <<< $DOCKER_METADATA_OUTPUT_JSON)
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }} werf build
labels: ${{ steps.meta.outputs.labels }}
build-args: | - name: Build and Push Image
TAG=${{ github.ref_name }} if: ${{ github.event_name != 'pull_request' }}
platforms: linux/amd64,linux/arm64,linux/arm run: |
file: ./Dockerfile.${{ matrix.name }} source "$(werf ci-env github --as-file)"
source <(jq -r '.labels | to_entries | to_entries[] | "export WERF_EXPORT_ADD_LABEL_\(.key)=\"\(.value.key)=\(.value.value)\""' <<< $DOCKER_METADATA_OUTPUT_JSON)
werf export --tag ghcr.io/${{ github.repository }}/%image%:${{ github.ref_name }}

2
Dockerfile.ovpn-admin
View File

@ -17,4 +17,4 @@ RUN apk add --update bash easy-rsa openssl openvpn coreutils && \
ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.4/openvpn-user-linux-${TARGETARCH}.tar.gz -O - | tar xz -C /usr/local/bin && \ wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.4/openvpn-user-linux-${TARGETARCH}.tar.gz -O - | tar xz -C /usr/local/bin && \
rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
RUN if [ -f "/usr/local/bin/openvpn-user-${TARGETARCH}" ]; then ln -s /usr/local/bin/openvpn-user-${TARGETARCH} /usr/local/bin/openvpn-user; fi RUN if [ -f "/usr/local/bin/openvpn-user-${TARGETARCH}" ]; then ln -s /usr/local/bin/openvpn-user-${TARGETARCH} /usr/local/bin/openvpn-user; fi

18
certificates.go
View File

@ -8,7 +8,9 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt"
"math/big" "math/big"
"strconv"
"time" "time"
) )
@ -60,7 +62,6 @@ func genPrivKey() (privKeyPEM *bytes.Buffer, err error) {
Bytes: privKeyPKCS8, Bytes: privKeyPKCS8,
}) })
return return
} }
@ -133,6 +134,17 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128) serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
serial, err := rand.Int(rand.Reader, serialNumberRange) serial, err := rand.Int(rand.Reader, serialNumberRange)
certLifetimeDays, err := strconv.Atoi(*clientCertExpirationDays)
if err != nil {
return nil, fmt.Errorf("can't get client certificate expiration value: %w", err)
}
notBefore := time.Now()
notAfter := notBefore.Add(time.Duration(certLifetimeDays) * 24 * time.Hour)
if notAfter.After(ca.NotAfter) {
notAfter = ca.NotAfter
}
template := x509.Certificate{ template := x509.Certificate{
BasicConstraintsValid: true, BasicConstraintsValid: true,
DNSNames: []string{cn}, DNSNames: []string{cn},
@ -142,8 +154,8 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
}, },
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
NotBefore: time.Now(), NotBefore: notBefore,
NotAfter: ca.NotAfter, NotAfter: notAfter,
} }
issuerBytes, err := x509.CreateCertificate(rand.Reader, &template, ca, &privKey.PublicKey, caPrivKey) issuerBytes, err := x509.CreateCertificate(rand.Reader, &template, ca, &privKey.PublicKey, caPrivKey)

1
main.go
View File

@ -76,6 +76,7 @@ var (
logLevel = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String() logLevel = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String()
logFormat = kingpin.Flag("log.format", "set log format: text, json (default text)").Default("text").Envar("LOG_FORMAT").String() logFormat = kingpin.Flag("log.format", "set log format: text, json (default text)").Default("text").Envar("LOG_FORMAT").String()
storageBackend = kingpin.Flag("storage.backend", "storage backend: filesystem, kubernetes.secrets (default filesystem)").Default("filesystem").Envar("STORAGE_BACKEND").String() storageBackend = kingpin.Flag("storage.backend", "storage backend: filesystem, kubernetes.secrets (default filesystem)").Default("filesystem").Envar("STORAGE_BACKEND").String()
clientCertExpirationDays = kingpin.Flag("client-cert.expiration-days", "Expiration period of OpenVPN client certificates in days, the period will shrink automatically to the CA expiration period").Default("3650").Envar("CLIENT_CERT_EXPIRATION_DAYS").String()
certsArchivePath = "/tmp/" + certsArchiveFileName certsArchivePath = "/tmp/" + certsArchiveFileName
ccdArchivePath = "/tmp/" + ccdArchiveFileName ccdArchivePath = "/tmp/" + ccdArchiveFileName