start awx automation for vault demo and move ldap

ansible · Feb 9, 2024 · 3741480 · 3741480
1 parent a74c9c2
commit 3741480
Show file tree

Hide file tree

Showing 7 changed files with 192 additions and 56 deletions.
diff --git a/Makefile b/Makefile
@@ -538,7 +538,8 @@ docker-compose: awx/projects docker-compose-sources
 	ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
 	ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
 	    -e enable_vault=$(VAULT) \
-	    -e vault_tls=$(VAULT_TLS);
+	    -e vault_tls=$(VAULT_TLS) \
+		-e enable_ldap=$(LDAP);
 	$(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans
 
 docker-compose-credential-plugins: awx/projects docker-compose-sources

diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -34,6 +34,7 @@ ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
 enable_vault: false
 vault_tls: false
 hashivault_cert_dir: '{{ sources_dest }}/vault_certs'
+hashivault_vars_file: '../vault/defaults/main.yml'
 hashivault_server_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=tools-vault-1"
 hashivault_server_cert_extensions:
   - "subjectAltName = DNS:tools_vault_1, DNS:localhost"

diff --git a/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml b/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml
@@ -7,12 +7,15 @@
     - "{{ ldap_cert_dir }}"
     - "{{ ldap_diff_dir }}"
 
+- name: include vault vars
+  include_vars: "{{ hashivault_vars_file }}"
+
 - name: General LDAP cert
   command: 'openssl req -new -x509 -days 365 -nodes -out {{ ldap_public_key_file }} -keyout {{ ldap_private_key_file }} -subj "{{ ldap_cert_subject }}"'
   args:
     creates: "{{ ldap_public_key_file }}"
 
 - name: Copy ldap.diff
-  copy:
-    src: "ldap.ldif"
+  ansible.builtin.template:
+    src: "ldap.ldif.j2"
     dest: "{{ ldap_diff_dir }}/ldap.ldif"
diff --git a/...ose/ansible/roles/sources/files/ldap.ldif → ...ible/roles/sources/templates/ldap.ldif.j2 b/...ose/ansible/roles/sources/files/ldap.ldif → ...ible/roles/sources/templates/ldap.ldif.j2
@@ -41,6 +41,19 @@ objectClass: inetOrgPerson
 givenName: awx
 userPassword: unpriv123
 
+{% if enable_ldap|bool and enable_vault|bool %}
+dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org
+mail: vault@example.org
+sn: LdapVaultAdmin
+cn: {{ vault_ldap_username }}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: {{ vault_ldap_password }}
+givenName: awx
+{% endif %}
+
 dn: ou=groups,dc=example,dc=org
 ou: groups
 objectClass: top
@@ -83,4 +96,3 @@ cn: awx_org_admins
 objectClass: top
 objectClass: groupOfNames
 member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-
diff --git a/tools/docker-compose/ansible/roles/vault/defaults/main.yml b/tools/docker-compose/ansible/roles/vault/defaults/main.yml
@@ -1,7 +1,12 @@
 ---
 vault_file: "{{ sources_dest }}/secrets/vault_init.yml"
 admin_password_file: "{{ sources_dest }}/secrets/admin_password.yml"
-vault_cert_dir: '{{ sources_dest }}/vault_certs'
+vault_cert_dir: "{{ sources_dest }}/vault_certs"
 vault_server_cert: "{{ vault_cert_dir }}/server.crt"
 vault_client_cert: "{{ vault_cert_dir }}/client.crt"
 vault_client_key: "{{ vault_cert_dir }}/client.key"
+ldap_ldif: "{{ sources_dest }}/ldap.ldifs/ldap.ldif"
+vault_ldap_username: "awx_ldap_vault"
+vault_ldap_password: "vault123"
+vault_userpass_username: "awx_userpass_admin"
+vault_userpass_password: "userpass123"
diff --git a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
@@ -116,10 +116,12 @@
             validate_certs: false
             token: "{{ Initial_Root_Token }}"
 
-        - name: Create userpass engine
-          flowerysong.hvault.engine:
-            path: "userpass_engine"
-            type: "kv"
+        - name: Create a ldap secret
+          flowerysong.hvault.kv:
+            mount_point: "ldap_engine/ldaps_root"
+            key: "ldap_secret"
+            value:
+              my_key: "this_is_the_ldap_secret_value"
             vault_addr: "{{ vault_addr_from_host }}"
             validate_certs: false
             token: "{{ Initial_Root_Token }}"
@@ -130,8 +132,8 @@
             validate_certs: false
             token: "{{ Initial_Root_Token }}"
             url: "ldap://ldap:1389"
-            binddn: "cn=awx_ldap_admin,ou=users,dc=example,dc=org"
-            bindpass: "admin123"
+            binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org"
+            bindpass: "vault123"
             userdn: "ou=users,dc=example,dc=org"
             deny_null_bind: "false"
             discoverdn: "true"
@@ -147,52 +149,70 @@
               sys/mounts:/*: [create, read, update, delete, list]
               sys/mounts: [read]
 
-        - name: Create userpass access policy
-          flowerysong.hvault.policy:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            name: "userpass_engine"
-            policy:
-              userpass_engine/*: [create, read, update, delete, list]
-              sys/mounts:/*: [create, read, update, delete, list]
-              sys/mounts: [read]
-
-        - name: Add awx_ldap_admin user to auth_method
+        - name: Add awx_ldap_vault user to auth_method
           flowerysong.hvault.ldap_user:
             vault_addr: "{{ vault_addr_from_host }}"
             validate_certs: false
             token: "{{ Initial_Root_Token }}"
             state: present
-            name: "awx_ldap_admin"
+            name: "{{ vault_ldap_username }}"
             policies:
               - "ldap_engine"
+      when: enable_ldap | bool
 
-        - name: Create userpass auth mount
-          flowerysong.hvault.write:
-            path: "sys/auth/userpass"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            data:
-                type: "userpass"
-          register: vault_auth_userpass
-          changed_when: vault_auth_userpass.result.errors | default([]) | length == 0
-          failed_when:
-            - vault_auth_userpass.result.errors | default([]) | length > 0
-            - "'path is already in use at userpass/' not in vault_auth_userpass.result.errors | default([])"
-
+    - name: Create userpass engine
+      flowerysong.hvault.engine:
+        path: "userpass_engine"
+        type: "kv"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
 
-        - name: Add awx_userpass_admin user to auth_method
-          flowerysong.hvault.write:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            path: "auth/userpass/users/awx_userpass_admin"
-            data:
-              password: "admin123"
-              policies:
-                  - "userpass_engine"
+    - name: Create a userpass secret
+      flowerysong.hvault.kv:
+        mount_point: "userpass_engine/userpass_root"
+        key: "userpass_secret"
+        value:
+          my_key: "this_is_the_userpass_secret_value"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+
+    - name: Create userpass access policy
+      flowerysong.hvault.policy:
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        name: "userpass_engine"
+        policy:
+          userpass_engine/*: [create, read, update, delete, list]
+          sys/mounts:/*: [create, read, update, delete, list]
+          sys/mounts: [read]
+
+    - name: Create userpass auth mount
+      flowerysong.hvault.write:
+        path: "sys/auth/userpass"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        data:
+            type: "userpass"
+      register: vault_auth_userpass
+      changed_when: vault_auth_userpass.result.errors | default([]) | length == 0
+      failed_when:
+        - vault_auth_userpass.result.errors | default([]) | length > 0
+        - "'path is already in use at userpass/' not in vault_auth_userpass.result.errors | default([])"
+
+    - name: Add awx_userpass_admin user to auth_method
+      flowerysong.hvault.write:
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        path: "auth/userpass/users/{{ vault_userpass_username }}"
+        data:
+          password: "{{ vault_userpass_password }}"
+          policies:
+              - "userpass_engine"
 
   always:
     - name: Stop the vault

diff --git a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
@@ -38,7 +38,6 @@
     controller_host: "{{ awx_host }}"
     controller_username: admin
     controller_password: "{{ admin_password }}"
-
     validate_certs: false
     injectors:
       extra_vars:
@@ -51,32 +50,127 @@
           secret: true
   register: custom_vault_cred_type
 
-- name: Create a credential of the custom type
+- name: Create a credential of the custom type for token auth
   awx.awx.credential:
     credential_type: "{{ custom_vault_cred_type.id }}"
     controller_host: "{{ awx_host }}"
     controller_username: admin
     controller_password: "{{ admin_password }}"
-
     validate_certs: false
-    name: Credential From Vault
+    name: Credential From HashiCorp Vault via Token Auth
     inputs: {}
     organization: Default
-  register: custom_credential
+  register: custom_credential_via_token
 
-- name: Use the Vault Credential For the new credential
+- name: Use the Token Vault Credential For the new credential
   awx.awx.credential_input_source:
     input_field_name: password
-    target_credential: "{{ custom_credential.id }}"
+    target_credential: "{{ custom_credential_via_token.id }}"
     source_credential: "{{ vault_cred.id }}"
     controller_host: "{{ awx_host }}"
     controller_username: admin
     controller_password: "{{ admin_password }}"
-
     validate_certs: false
     metadata:
       auth_path: ""
       secret_backend: "my_engine"
       secret_key: "my_key"
       secret_path: "/my_root/my_folder"
       secret_version: ""
+
+- name: Create a HashiCorp Vault Credential for LDAP
+  awx.awx.credential:
+    credential_type: HashiCorp Vault Secret Lookup
+    name: Vault LDAP Lookup Cred
+    organization: Default
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
+    inputs:
+      api_version: "v1"
+      default_auth_path: "ldap"
+      kubernetes_role: ""
+      namespace: ""
+      url: "{{ vault_addr_from_container }}"
+      username: "{{ vault_ldap_username }}"
+      password: "{{ vault_ldap_password }}"
+  register: vault_ldap_cred
+  when: enable_ldap | bool
+
+- name: Create a credential from the Vault LDAP Custom Cred Type
+  awx.awx.credential:
+    credential_type: "{{ custom_vault_cred_type.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
+    name: Credential From HashiCorp Vault via LDAP Auth
+    inputs: {}
+    organization: Default
+  register: custom_credential_via_ldap
+  when: enable_ldap | bool
+
+- name: Use the Vault LDAP Credential  the new credential
+  awx.awx.credential_input_source:
+    input_field_name: password
+    target_credential: "{{ custom_credential_via_ldap.id }}"
+    source_credential: "{{ vault_ldap_cred.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
+    metadata:
+      auth_path: ""
+      secret_backend: "ldap_engine"
+      secret_key: "my_key"
+      secret_path: "ldaps_root/ldap_secret"
+      secret_version: ""
+  when: enable_ldap | bool
+
+- name: Create a HashiCorp Vault Credential for UserPass
+  awx.awx.credential:
+    credential_type: HashiCorp Vault Secret Lookup
+    name: Vault UserPass Lookup Cred
+    organization: Default
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
+    inputs:
+      api_version: "v1"
+      default_auth_path: "userpass"
+      kubernetes_role: ""
+      namespace: ""
+      url: "{{ vault_addr_from_container }}"
+      username: "{{ vault_userpass_username }}"
+      password: "{{ vault_userpass_password }}"
+  register: vault_userpass_cred
+
+- name: Create a credential from the Vault UserPass Custom Cred Type
+  awx.awx.credential:
+    credential_type: "{{ custom_vault_cred_type.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
+    name: Credential From HashiCorp Vault via UserPass Auth
+    inputs: {}
+    organization: Default
+  register: custom_credential_via_userpass
+
+- name: Use the Vault UserPass Credential  the new credential
+  awx.awx.credential_input_source:
+    input_field_name: password
+    target_credential: "{{ custom_credential_via_userpass.id }}"
+    source_credential: "{{ vault_userpass_cred.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
+    metadata:
+      auth_path: ""
+      secret_backend: "userpass_engine"
+      secret_key: "my_key"
+      secret_path: "userpass_root/userpass_secret"
+      secret_version: ""