Adding tacacs+ container for testing

2026-01-11 01:57:35 -03:30 · 2023-04-13 15:02:08 -04:00 · 2023-04-13 15:02:08 -04:00 · 8719648ff5
commit 8719648ff5
parent 11d5e5c7d4
5 changed files with 76 additions and 1 deletions
--- a/6
+++ b/6
@ -37,6 +37,8 @@ SPLUNK ?= false
 PROMETHEUS ?= false
 # If set to true docker-compose will also start a grafana instance
 GRAFANA ?= false
+# If set to true docker-compose will also start a tacacs+ instance
+TACACS ?= false

 VENV_BASE ?= /var/lib/awx/venv

@ -519,7 +521,9 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e enable_ldap=$(LDAP) \
 	    -e enable_splunk=$(SPLUNK) \
 	    -e enable_prometheus=$(PROMETHEUS) \
-	    -e enable_grafana=$(GRAFANA) $(EXTRA_SOURCES_ANSIBLE_OPTS)
+	    -e enable_grafana=$(GRAFANA) \
+	    -e enable_tacacs=$(TACACS) \
+            $(EXTRA_SOURCES_ANSIBLE_OPTS)

 docker-compose: awx/projects docker-compose-sources
 	$(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans
--- a/tools/docker-compose/README.md
+++ b/tools/docker-compose/README.md
@ -244,6 +244,7 @@ $ make docker-compose
 - [SAML and OIDC Integration](#saml-and-oidc-integration)
 - [OpenLDAP Integration](#openldap-integration)
 - [Splunk Integration](#splunk-integration)
+- [tacacs+ Integration](#tacacs+-integration)

 ### Start a Shell

@ -472,6 +473,29 @@ ansible-playbook tools/docker-compose/ansible/plumb_splunk.yml

 Once the playbook is done running Splunk should now be setup in your development environment. You can log into the admin console (see above for username/password) and click on "Searching and Reporting" in the left hand navigation. In the search box enter `source="http:tower_logging_collections"` and click search.

+### - tacacs+ Integration
+
+tacacs+ is an networking protocol that provides external authentication which can be used with AWX. This section describes how to build a reference tacacs+ instance and plumb it with your AWX for testing purposes.
+
+First, be sure that you have the awx.awx collection installed by running `make install_collection`.
+
+Anytime you want to run a tacacs+ instance alongside AWX we can start docker-compose with the TACACS option to get a containerized instance with the command:
+```bash
+TACACS=true make docker-compose
+```
+
+Once the containers come up a new port (49) should be exposed and the tacacs+ server should be running on those ports.
+
+Now we are ready to configure and plumb tacacs+ with AWX. To do this we have provided a playbook which will:
+* Backup and configure the tacacsplus adapter in AWX. NOTE: this will back up your existing settings but the password fields can not be backed up through the API, you need a DB backup to recover this.
+
+```bash
+export CONTROLLER_USERNAME=<your username>
+export CONTROLLER_PASSWORD=<your password>
+ansible-playbook tools/docker-compose/ansible/plumb_tacacs.yml
+```
+
+Once the playbook is done running tacacs+ should now be setup in your development environment. This server has the accounts listed on https://hub.docker.com/r/dchidell/docker-tacacs

 ### Prometheus and Grafana integration

--- a/tools/docker-compose/ansible/plumb_tacacs.yml
+++ b/tools/docker-compose/ansible/plumb_tacacs.yml
@ -0,0 +1,32 @@
+---
+- name: Plumb a tacacs+ instance
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  vars:
+    awx_host: "https://localhost:8043"
+  tasks:
+    - name: Load existing and new tacacs+ settings
+      set_fact:
+        existing_tacacs: "{{ lookup('awx.awx.controller_api', 'settings/tacacsplus', host=awx_host, verify_ssl=false) }}"
+        new_tacacs: "{{ lookup('template', 'tacacsplus_settings.json.j2') }}"
+
+    - name: Display existing tacacs+ configuration
+      debug:
+        msg:
+          - "Here is your existing tacacsplus configuration for reference:"
+          - "{{ existing_tacacs }}"
+
+    - pause:
+        prompt: "Continuing to run this will replace your existing tacacs settings (displayed above). They will all be captured. Be sure that is backed up before continuing"
+
+    - name: Write out the existing content
+      copy:
+        dest: "../_sources/existing_tacacsplus_adapter_settings.json"
+        content: "{{ existing_tacacs }}"
+
+    - name: Configure AWX tacacs+ adapter
+      awx.awx.settings:
+        settings: "{{ new_tacacs }}"
+        controller_host: "{{ awx_host }}"
+        validate_certs: False
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@ -174,6 +174,14 @@ services:
      - prometheus
    depends_on:
      - prometheus
+{% endif %}
+{% if enable_tacacs|bool %}
+  tacacs:
+    image: dchidell/docker-tacacs
+    container_name: tools_tacacs_1
+    hostname: tacacs
+    ports:
+      - "49:49"
 {% endif %}
  # A useful container that simply passes through log messages to the console
  # helpful for testing awx/tower logging
--- a/tools/docker-compose/ansible/templates/tacacsplus_settings.json.j2
+++ b/tools/docker-compose/ansible/templates/tacacsplus_settings.json.j2
@ -0,0 +1,7 @@
+{
+    "TACACSPLUS_HOST": "tacacs",
+    "TACACSPLUS_PORT": 49,
+    "TACACSPLUS_SECRET": "ciscotacacskey",
+    "TACACSPLUS_SESSION_TIMEOUT": 5,
+    "TACACSPLUS_AUTH_PROTOCOL": "ascii"
+}