External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-06 19:21:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Add ldap support to vault container in docker dev environment (#14777)

Browse Source 
* add ldap_auth mount and configure it

* added in key engines, userpass auth method, still needs testing

* add policies and fix ldap_user

* start awx automation for vault demo and move ldap

* update docs with new flags/new credentials
This commit is contained in:
Jake Jackson
2024-02-09 15:19:17 -05:00
committed by GitHub
parent 2e5306ae8e
commit 519fd22bec
8 changed files with 295 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
tools/docker-compose/ansible/roles/vault/defaults/main.yml
View File

@@ -1,7 +1,12 @@
---
vault_file: "{{ sources_dest }}/secrets/vault_init.yml"
admin_password_file: "{{ sources_dest }}/secrets/admin_password.yml"
vault_cert_dir: '{{ sources_dest }}/vault_certs'
vault_cert_dir: "{{ sources_dest }}/vault_certs"
vault_server_cert: "{{ vault_cert_dir }}/server.crt"
vault_client_cert: "{{ vault_cert_dir }}/client.crt"
vault_client_key: "{{ vault_cert_dir }}/client.key"
ldap_ldif: "{{ sources_dest }}/ldap.ldifs/ldap.ldif"
vault_ldap_username: "awx_ldap_vault"
vault_ldap_password: "vault123"
vault_userpass_username: "awx_userpass_admin"
vault_userpass_password: "userpass123"

122
tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
View File

@@ -92,6 +92,128 @@
validate_certs: false
token: "{{ Initial_Root_Token }}"
- name: Configure the vault ldap auth
block:
- name: Create ldap auth mount
flowerysong.hvault.write:
path: "sys/auth/ldap"
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
data:
type: "ldap"
register: vault_auth_ldap
changed_when: vault_auth_ldap.result.errors | default([]) | length == 0
failed_when:
- vault_auth_ldap.result.errors | default([]) | length > 0
- "'path is already in use at ldap/' not in vault_auth_ldap.result.errors | default([])"
- name: Create ldap engine
flowerysong.hvault.engine:
path: "ldap_engine"
type: "kv"
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
- name: Create a ldap secret
flowerysong.hvault.kv:
mount_point: "ldap_engine/ldaps_root"
key: "ldap_secret"
value:
my_key: "this_is_the_ldap_secret_value"
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
- name: Configure ldap auth
flowerysong.hvault.ldap_config:
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
url: "ldap://ldap:1389"
binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org"
bindpass: "vault123"
userdn: "ou=users,dc=example,dc=org"
deny_null_bind: "false"
discoverdn: "true"
- name: Create ldap access policy
flowerysong.hvault.policy:
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
name: "ldap_engine"
policy:
ldap_engine/*: [create, read, update, delete, list]
sys/mounts:/*: [create, read, update, delete, list]
sys/mounts: [read]
- name: Add awx_ldap_vault user to auth_method
flowerysong.hvault.ldap_user:
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
state: present
name: "{{ vault_ldap_username }}"
policies:
- "ldap_engine"
when: enable_ldap | bool
- name: Create userpass engine
flowerysong.hvault.engine:
path: "userpass_engine"
type: "kv"
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
- name: Create a userpass secret
flowerysong.hvault.kv:
mount_point: "userpass_engine/userpass_root"
key: "userpass_secret"
value:
my_key: "this_is_the_userpass_secret_value"
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
- name: Create userpass access policy
flowerysong.hvault.policy:
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
name: "userpass_engine"
policy:
userpass_engine/*: [create, read, update, delete, list]
sys/mounts:/*: [create, read, update, delete, list]
sys/mounts: [read]
- name: Create userpass auth mount
flowerysong.hvault.write:
path: "sys/auth/userpass"
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
data:
type: "userpass"
register: vault_auth_userpass
changed_when: vault_auth_userpass.result.errors | default([]) | length == 0
failed_when:
- vault_auth_userpass.result.errors | default([]) | length > 0
- "'path is already in use at userpass/' not in vault_auth_userpass.result.errors | default([])"
- name: Add awx_userpass_admin user to auth_method
flowerysong.hvault.write:
vault_addr: "{{ vault_addr_from_host }}"
validate_certs: false
token: "{{ Initial_Root_Token }}"
path: "auth/userpass/users/{{ vault_userpass_username }}"
data:
password: "{{ vault_userpass_password }}"
policies:
- "userpass_engine"
always:
- name: Stop the vault
community.docker.docker_compose:

110
tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
View File

@@ -38,7 +38,6 @@
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
injectors:
extra_vars:
@@ -51,28 +50,26 @@
secret: true
register: custom_vault_cred_type
- name: Create a credential of the custom type
- name: Create a credential of the custom type for token auth
awx.awx.credential:
credential_type: "{{ custom_vault_cred_type.id }}"
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
name: Credential From Vault
name: Credential From HashiCorp Vault via Token Auth
inputs: {}
organization: Default
register: custom_credential
register: custom_credential_via_token
- name: Use the Vault Credential For the new credential
- name: Use the Token Vault Credential For the new credential
awx.awx.credential_input_source:
input_field_name: password
target_credential: "{{ custom_credential.id }}"
target_credential: "{{ custom_credential_via_token.id }}"
source_credential: "{{ vault_cred.id }}"
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
metadata:
auth_path: ""
@@ -80,3 +77,100 @@
secret_key: "my_key"
secret_path: "/my_root/my_folder"
secret_version: ""
- name: Create a HashiCorp Vault Credential for LDAP
awx.awx.credential:
credential_type: HashiCorp Vault Secret Lookup
name: Vault LDAP Lookup Cred
organization: Default
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
inputs:
api_version: "v1"
default_auth_path: "ldap"
kubernetes_role: ""
namespace: ""
url: "{{ vault_addr_from_container }}"
username: "{{ vault_ldap_username }}"
password: "{{ vault_ldap_password }}"
register: vault_ldap_cred
when: enable_ldap | bool
- name: Create a credential from the Vault LDAP Custom Cred Type
awx.awx.credential:
credential_type: "{{ custom_vault_cred_type.id }}"
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
name: Credential From HashiCorp Vault via LDAP Auth
inputs: {}
organization: Default
register: custom_credential_via_ldap
when: enable_ldap | bool
- name: Use the Vault LDAP Credential the new credential
awx.awx.credential_input_source:
input_field_name: password
target_credential: "{{ custom_credential_via_ldap.id }}"
source_credential: "{{ vault_ldap_cred.id }}"
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
metadata:
auth_path: ""
secret_backend: "ldap_engine"
secret_key: "my_key"
secret_path: "ldaps_root/ldap_secret"
secret_version: ""
when: enable_ldap | bool
- name: Create a HashiCorp Vault Credential for UserPass
awx.awx.credential:
credential_type: HashiCorp Vault Secret Lookup
name: Vault UserPass Lookup Cred
organization: Default
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
inputs:
api_version: "v1"
default_auth_path: "userpass"
kubernetes_role: ""
namespace: ""
url: "{{ vault_addr_from_container }}"
username: "{{ vault_userpass_username }}"
password: "{{ vault_userpass_password }}"
register: vault_userpass_cred
- name: Create a credential from the Vault UserPass Custom Cred Type
awx.awx.credential:
credential_type: "{{ custom_vault_cred_type.id }}"
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
name: Credential From HashiCorp Vault via UserPass Auth
inputs: {}
organization: Default
register: custom_credential_via_userpass
- name: Use the Vault UserPass Credential the new credential
awx.awx.credential_input_source:
input_field_name: password
target_credential: "{{ custom_credential_via_userpass.id }}"
source_credential: "{{ vault_userpass_cred.id }}"
controller_host: "{{ awx_host }}"
controller_username: admin
controller_password: "{{ admin_password }}"
validate_certs: false
metadata:
auth_path: ""
secret_backend: "userpass_engine"
secret_key: "my_key"
secret_path: "userpass_root/userpass_secret"
secret_version: ""