External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-12 07:04:45 -03:30
Code Issues Packages Projects Releases Wiki Activity
Files
a2fcd2f97a332dd6acbe87ecfb03fa60b978b72d
awx/tools/docker-compose/ansible/roles/sources/tasks/main.yml
Andrew Austin 6aa2997dce Add TLS certificate auth for HashiCorp Vault (#14534) 
* Add TLS certificate auth for HashiCorp Vault

Add support for AWX to authenticate with HashiCorp Vault using
TLS client certificates.

Also updates the documentation for the HashiCorp Vault secret management
plugins to include both the new TLS options and the missing Kubernetes
auth method options.

Signed-off-by: Andrew Austin <aaustin@redhat.com>

* Refactor docker-compose vault for TLS cert auth

Add TLS configuration to the docker-compose Vault configuration and
use that method by default in vault plumbing.

This ensures that the result of bringing up the docker-compose stack
with vault enabled and running the plumb-vault playbook is a fully
working credential retrieval setup using TLS client cert authentication.

Signed-off-by: Andrew Austin <aaustin@redhat.com>

* Remove incorrect trailing space

Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>

* Make vault init idempotent

- improve error handling for vault_initialization
- ignore error if vault cert auth is already configured
- removed unused register

* Add VAULT_TLS option

Make TLS for HashiCorp Vault optional and configurable via VAULT_TLS env var

* Add retries for vault init

Sometime it took longer for vault to fully come up and init will fail

---------

Signed-off-by: Andrew Austin <aaustin@redhat.com>
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
Co-authored-by: Hao Liu <haoli@redhat.com>
2023-12-06 19:12:15 +00:00

156 lines
4.4 KiB
YAML
Raw Blame History

---
- name: Create _sources directories
file:
path: "{{ sources_dest }}/{{ item }}"
state: 'directory'
mode: '0700'
loop:
- secrets
- receptor
- name: Detect secrets
stat:
path: "{{ sources_dest }}/secrets/{{ item }}.yml"
register: secrets
when: not lookup('vars', item, default='')
loop:
- pg_password
- secret_key
- broadcast_websocket_secret
- admin_password
- name: Generate secrets if needed
template:
src: 'secrets.yml.j2'
dest: '{{ sources_dest }}/secrets/{{ item.item }}.yml'
mode: '0600'
when: not lookup('vars', item.item, default='') and not item.stat.exists
loop: "{{ secrets.results }}"
loop_control:
label: '{{ item.item }}'
- name: Include generated secrets unless they are explicitly passed in
include_vars: "{{ sources_dest }}/secrets/{{ item.item }}.yml"
no_log: true
when: not lookup('vars', item.item, default='')
loop: "{{ secrets.results }}"
- name: Write out SECRET_KEY
copy:
content: "{{ secret_key }}"
dest: "{{ sources_dest }}/SECRET_KEY"
no_log: true
- name: Find custom error pages
set_fact:
custom_error_pages: "{{ (custom_error_pages | default([])) + [new_error_page] }}"
vars:
new_error_page:
error_code: "{{ item | basename() | regex_replace('custom_(\\d+).html', '\\1') }}"
web_path: "{{ item | regex_replace('^.*/static', '/static') }}"
loop: "{{ lookup('ansible.builtin.fileglob', playbook_dir + '/../../../awx/static/custom_*.html', wantlist=True) }}"
when: (item | basename()) is regex("custom_\d+\.html")
- name: Render configuration templates
template:
src: "{{ item }}.j2"
dest: "{{ sources_dest }}/{{ item }}"
mode: '0600'
with_items:
- "database.py"
- "local_settings.py"
- "websocket_secret.py"
- "haproxy.cfg"
- "nginx.conf"
- "nginx.locations.conf"
- name: Get OS info for sdb
shell: |
docker info | grep 'Operating System'
register: os_info
changed_when: false
- name: Get user UID
shell: id -u
register: current_user
changed_when: false
- name: Set fact with user UID
set_fact:
user_id: "'{{ current_user.stdout }}'"
- name: Set global version if not provided
set_fact:
awx_image_tag: "{{ lookup('file', playbook_dir + '/../../../VERSION') }}"
when: awx_image_tag is not defined
- name: Generate Private RSA key for signing work
command: openssl genrsa -out {{ work_sign_private_keyfile }} {{ receptor_rsa_bits }}
args:
creates: "{{ work_sign_private_keyfile }}"
when: sign_work | bool
- name: Generate public RSA key for signing work
command: openssl rsa -in {{ work_sign_private_keyfile }} -out {{ work_sign_public_keyfile }} -outform PEM -pubout
args:
creates: "{{ work_sign_public_keyfile }}"
when: sign_work | bool
- name: Include LDAP tasks if enabled
include_tasks: ldap.yml
when: enable_ldap | bool
- name: Include vault TLS tasks if enabled
include_tasks: vault_tls.yml
when: enable_vault | bool
- name: Render Docker-Compose
template:
src: docker-compose.yml.j2
dest: "{{ sources_dest }}/{{ compose_name }}"
mode: '0600'
- name: Render Receptor Config(s) for Control Plane
template:
src: "receptor-awx.conf.j2"
dest: "{{ sources_dest }}/receptor/receptor-awx-{{ item }}.conf"
mode: '0600'
with_sequence: start=1 end={{ control_plane_node_count }}
- name: Create Receptor Config Lock File
file:
path: "{{ sources_dest }}/receptor/receptor-awx-{{ item }}.conf.lock"
state: touch
mode: '0600'
with_sequence: start=1 end={{ control_plane_node_count }}
- name: Render Receptor Config(s) for Control Plane
template:
src: "receptor-awx.conf.j2"
dest: "{{ sources_dest }}/receptor/receptor-awx-{{ item }}.conf"
mode: '0600'
with_sequence: start=1 end={{ control_plane_node_count }}
- name: Render Receptor Hop Config
template:
src: "receptor-hop.conf.j2"
dest: "{{ sources_dest }}/receptor/receptor-hop.conf"
mode: '0600'
when:
- execution_node_count | int > 0
- name: Render Receptor Worker Config(s)
template:
src: "receptor-worker.conf.j2"
dest: "{{ sources_dest }}/receptor/receptor-worker-{{ item }}.conf"
mode: '0600'
with_sequence: start=1 end={{ execution_node_count if execution_node_count | int > 0 else 1}}
when: execution_node_count | int > 0
- name: Render prometheus config
template:
src: "prometheus.yml.j2"
dest: "{{ sources_dest }}/prometheus.yml"
when: enable_prometheus|bool
Reference in New Issue View Git Blame Copy Permalink