Enhancing vault integration

Added persistent storage

Auto-create vault and awx via playbooks

Create a new pattern for custom containers where we can do initialization

Auto-install roles needed for plumbing via the Makefile

tools/docker-compose/README.md

@@ -505,32 +505,45 @@ Run a HashiVault container alongside of AWX.
 VAULT=true make docker-compose
 ```
 
-Go to `http://localhost:1234` sign in with method "Token".
+You can find the initialization data at `tools/docker-compose/_sources/secrets/vault_init.yml`,
+This includes the unseal keys and a root token.
 
-You can find the generated token at `tools/docker-compose/_sources/secrets/vault_password.yml`,
-this is a root token, and it should not need a corresponding username.
-Note that the token will be different on each restart, as it is re-generated by the playbook,
-and the container does not use a persistent volume.
+You will need to unseal the HashiVault each time the container is started.
+The easiest way to do that is to run:
+```bash
+ansible-playbook tools/docker-compose/ansible/unseal_vault.yml
+```
+This will perform the unseal and also display the root token for login.
 
-As a demo, click "Enable new engine +", click "KV" and Next.
-In the "Path" enter "my_engine" and click "Enable Engine".
-Click on the name of the engine and then "Create secret +".
-In the "Path for this secret" enter "my_root/my_folder" and in the "Secret Data" put "my_key" for key and **"my_value"** for value.
+For demo purposes, Vault will be auto-configured to include a Key Value (KV) vault called `my_engine` along with a secret called `my_key` in `/my_engine/my_root/my_folder`.
+The secret value is `this_is_the_secret_value`.
 
-Then go to AWX and create a new HashiVault credential with the generated token.
-Then go to any other arbitrary credential and click the key icon on an input to use a credential lookup plugin.
-In the "External Secret Management System" menu, first select the already-created HashiVault credential.
+To create a secret connected to this vault in AWX you can run the following playbook:
+```bash
+export CONTROLLER_USERNAME=<your username>
+export CONTROLLER_PASSWORD=<your password>
+ansible-playbook tools/docker-compose/ansible/plumb_vault.yml
+```
 
-Then in the "Metadata" menu, put in this data which is important for the integration:
- - Name of Secret Backend: "my_engine"
- - Path to Secret: "data/my_root/my_folder"
- - Key Name: "my_key"
+This will create the following items in your AWX instance:
+* A credential called `Vault Lookup Cred` tied to the vault instance.
+* A custom credential type called `Vault Custom Cred Type`.
+* A credential called `Credential From Vault` which is of the created type using the `Vault Lookup Cred` to get the password.
 
-After this, apply the credential to a job template that writes the data in a debug task.
-In the job output, you should see **my_value**.
+The custom credential type adds a variable when used in a playbook called `the_secret_from_vault`.
+If you have a playbook like:
+```
+---
+- name: Show a vault secret
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  tasks:
+    - debug:
+        var: the_secret_from_vault
+```
 
-(NOTE: the "arbitrary credential" could be a new custom credential type that injects to extra vars
-which is used in corresponding playbook that prints hostvars, but this doc assumes you know how to do that)
+And run it through AWX with the credential `Credential From Vault` tied to it, the debug should result in `this_is_the_secret_value`
 
 The extremely non-obvious input is the fact that the fact prefixes "data/" unexpectedly.
 This was discovered by inspecting the secret with the vault CLI, which may help with future troubleshooting.