mirror of
https://github.com/ansible/awx.git
synced 2026-02-28 00:08:44 -03:30
6aa2997dce
* Add TLS certificate auth for HashiCorp Vault Add support for AWX to authenticate with HashiCorp Vault using TLS client certificates. Also updates the documentation for the HashiCorp Vault secret management plugins to include both the new TLS options and the missing Kubernetes auth method options. Signed-off-by: Andrew Austin <aaustin@redhat.com> * Refactor docker-compose vault for TLS cert auth Add TLS configuration to the docker-compose Vault configuration and use that method by default in vault plumbing. This ensures that the result of bringing up the docker-compose stack with vault enabled and running the plumb-vault playbook is a fully working credential retrieval setup using TLS client cert authentication. Signed-off-by: Andrew Austin <aaustin@redhat.com> * Remove incorrect trailing space Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> * Make vault init idempotent - improve error handling for vault_initialization - ignore error if vault cert auth is already configured - removed unused register * Add VAULT_TLS option Make TLS for HashiCorp Vault optional and configurable via VAULT_TLS env var * Add retries for vault init Sometime it took longer for vault to fully come up and init will fail --------- Signed-off-by: Andrew Austin <aaustin@redhat.com> Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> Co-authored-by: Hao Liu <haoli@redhat.com>
83 lines
2.4 KiB
YAML
83 lines
2.4 KiB
YAML
---
|
|
- name: Set vault_addr
|
|
include_tasks: set_vault_addr.yml
|
|
|
|
- name: Load vault keys
|
|
include_vars:
|
|
file: "{{ vault_file }}"
|
|
|
|
- name: Get AWX admin password
|
|
include_vars:
|
|
file: "{{ admin_password_file }}"
|
|
|
|
- name: Create a HashiCorp Vault Credential
|
|
awx.awx.credential:
|
|
credential_type: HashiCorp Vault Secret Lookup
|
|
name: Vault Lookup Cred
|
|
organization: Default
|
|
controller_host: "{{ awx_host }}"
|
|
controller_username: admin
|
|
controller_password: "{{ admin_password }}"
|
|
validate_certs: false
|
|
inputs:
|
|
api_version: "v1"
|
|
cacert: "{{ lookup('ansible.builtin.file', '{{ vault_server_cert }}', errors='ignore') }}"
|
|
default_auth_path: "cert"
|
|
kubernetes_role: ""
|
|
namespace: ""
|
|
client_cert_public: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}', errors='ignore') }}"
|
|
client_cert_private: "{{ lookup('ansible.builtin.file', '{{ vault_client_key }}', errors='ignore') }}"
|
|
token: "{{ Initial_Root_Token }}"
|
|
url: "{{ vault_addr_from_container }}"
|
|
register: vault_cred
|
|
|
|
- name: Create a custom credential type
|
|
awx.awx.credential_type:
|
|
name: Vault Custom Cred Type
|
|
kind: cloud
|
|
controller_host: "{{ awx_host }}"
|
|
controller_username: admin
|
|
controller_password: "{{ admin_password }}"
|
|
|
|
validate_certs: false
|
|
injectors:
|
|
extra_vars:
|
|
the_secret_from_vault: "{{ '{{' }} password {{ '}}' }}"
|
|
inputs:
|
|
fields:
|
|
- type: "string"
|
|
id: "password"
|
|
label: "Password"
|
|
secret: true
|
|
register: custom_vault_cred_type
|
|
|
|
- name: Create a credential of the custom type
|
|
awx.awx.credential:
|
|
credential_type: "{{ custom_vault_cred_type.id }}"
|
|
controller_host: "{{ awx_host }}"
|
|
controller_username: admin
|
|
controller_password: "{{ admin_password }}"
|
|
|
|
validate_certs: false
|
|
name: Credential From Vault
|
|
inputs: {}
|
|
organization: Default
|
|
register: custom_credential
|
|
|
|
- name: Use the Vault Credential For the new credential
|
|
awx.awx.credential_input_source:
|
|
input_field_name: password
|
|
target_credential: "{{ custom_credential.id }}"
|
|
source_credential: "{{ vault_cred.id }}"
|
|
controller_host: "{{ awx_host }}"
|
|
controller_username: admin
|
|
controller_password: "{{ admin_password }}"
|
|
|
|
validate_certs: false
|
|
metadata:
|
|
auth_path: ""
|
|
secret_backend: "my_engine"
|
|
secret_key: "my_key"
|
|
secret_path: "/my_root/my_folder"
|
|
secret_version: ""
|