Add ldap support to vault container in docker dev environment (#14777)

* add ldap_auth mount and configure it * added in key engines, userpass auth method, still needs testing * add policies and fix ldap_user * start awx automation for vault demo and move ldap * update docs with new flags/new credentials
2026-03-23 03:45:01 -02:30 · 2024-02-09 15:19:17 -05:00
parent 2e5306ae8e
commit 519fd22bec
8 changed files with 295 additions and 15 deletions
--- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
@@ -92,6 +92,128 @@
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

+    - name: Configure the vault ldap auth
+      block:
+        - name: Create ldap auth mount
+          flowerysong.hvault.write:
+            path: "sys/auth/ldap"
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+            data:
+              type: "ldap"
+          register: vault_auth_ldap
+          changed_when: vault_auth_ldap.result.errors | default([]) | length == 0
+          failed_when:
+            - vault_auth_ldap.result.errors | default([]) | length > 0
+            - "'path is already in use at ldap/' not in vault_auth_ldap.result.errors | default([])"
+
+        - name: Create ldap engine
+          flowerysong.hvault.engine:
+            path: "ldap_engine"
+            type: "kv"
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+
+        - name: Create a ldap secret
+          flowerysong.hvault.kv:
+            mount_point: "ldap_engine/ldaps_root"
+            key: "ldap_secret"
+            value:
+              my_key: "this_is_the_ldap_secret_value"
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+
+        - name: Configure ldap auth
+          flowerysong.hvault.ldap_config:
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+            url: "ldap://ldap:1389"
+            binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org"
+            bindpass: "vault123"
+            userdn: "ou=users,dc=example,dc=org"
+            deny_null_bind: "false"
+            discoverdn: "true"
+
+        - name: Create ldap access policy
+          flowerysong.hvault.policy:
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+            name: "ldap_engine"
+            policy:
+              ldap_engine/*: [create, read, update, delete, list]
+              sys/mounts:/*: [create, read, update, delete, list]
+              sys/mounts: [read]
+
+        - name: Add awx_ldap_vault user to auth_method
+          flowerysong.hvault.ldap_user:
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+            state: present
+            name: "{{ vault_ldap_username }}"
+            policies:
+              - "ldap_engine"
+      when: enable_ldap | bool
+
+    - name: Create userpass engine
+      flowerysong.hvault.engine:
+        path: "userpass_engine"
+        type: "kv"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+
+    - name: Create a userpass secret
+      flowerysong.hvault.kv:
+        mount_point: "userpass_engine/userpass_root"
+        key: "userpass_secret"
+        value:
+          my_key: "this_is_the_userpass_secret_value"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+
+    - name: Create userpass access policy
+      flowerysong.hvault.policy:
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        name: "userpass_engine"
+        policy:
+          userpass_engine/*: [create, read, update, delete, list]
+          sys/mounts:/*: [create, read, update, delete, list]
+          sys/mounts: [read]
+
+    - name: Create userpass auth mount
+      flowerysong.hvault.write:
+        path: "sys/auth/userpass"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        data:
+          type: "userpass"
+      register: vault_auth_userpass
+      changed_when: vault_auth_userpass.result.errors | default([]) | length == 0
+      failed_when:
+        - vault_auth_userpass.result.errors | default([]) | length > 0
+        - "'path is already in use at userpass/' not in vault_auth_userpass.result.errors | default([])"
+
+    - name: Add awx_userpass_admin user to auth_method
+      flowerysong.hvault.write:
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        path: "auth/userpass/users/{{ vault_userpass_username }}"
+        data:
+          password: "{{ vault_userpass_password }}"
+          policies:
+            - "userpass_engine"
+
  always:
    - name: Stop the vault
      community.docker.docker_compose: