Skip to content

Commit

Permalink
update docs with new flags/new credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
thedoubl3j committed Feb 9, 2024
1 parent 3741480 commit ade553b
Show file tree
Hide file tree
Showing 5 changed files with 63 additions and 21 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -539,7 +539,7 @@ docker-compose: awx/projects docker-compose-sources
ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
-e enable_vault=$(VAULT) \
-e vault_tls=$(VAULT_TLS) \
-e enable_ldap=$(LDAP);
-e enable_ldap=$(LDAP);
$(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans

docker-compose-credential-plugins: awx/projects docker-compose-sources
Expand Down
47 changes: 44 additions & 3 deletions tools/docker-compose/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -538,13 +538,15 @@ To create a secret connected to this vault in AWX you can run the following play
```bash
export CONTROLLER_USERNAME=<your username>
export CONTROLLER_PASSWORD=<your password>
ansible-playbook tools/docker-compose/ansible/plumb_vault.yml
ansible-playbook tools/docker-compose/ansible/plumb_vault.yml -e enable_ldap=false
```

This will create the following items in your AWX instance:
* A credential called `Vault Lookup Cred` tied to the vault instance.
* A credential called `Vault UserPass Lookup Cred` tied to the vault instance.
* A custom credential type called `Vault Custom Cred Type`.
* A credential called `Credential From Vault` which is of the created type using the `Vault Lookup Cred` to get the password.
* A credential called `Credential From HashiCorp Vault via Token Auth` which is of the created type using the `Vault Lookup Cred` to get the secret.
* A credential called `Credential From HashiCorp Vault via UserPass Auth` which is of the created type using the `Vault Userpass Lookup Cred` to get the secret.

The custom credential type adds a variable when used in a playbook called `the_secret_from_vault`.
If you have a playbook like:
Expand All @@ -559,7 +561,46 @@ If you have a playbook like:
var: the_secret_from_vault
```

And run it through AWX with the credential `Credential From Vault` tied to it, the debug should result in `this_is_the_secret_value`
And run it through AWX with the credential `Credential From Vault via Token Auth` tied to it, the debug should result in `this_is_the_secret_value`. If you run it through AWX with the credential `Credential From Vault via Userpass Auth`, the debug should result in `this_is_the_userpass_secret_value`.

### HashiVault with LDAP

If you wish to have your OpenLDAP container connected to the Vault container, you will first need to have the OpenLDAP container running alongside AWX and Vault.


```bash
VAULT=true LDAP=true make docker-compose
```

Similar to the above, you will need to unseal the vault before we can run the other needed playbooks.

```bash
ansible-playbook tools/docker-compose/ansible/unseal_vault.yml
```

Now that the vault is unsealed, we can plumb the vault container now while passing true to enable_ldap extra var.


```bash
export CONTROLLER_USERNAME=<your username>
export CONTROLLER_PASSWORD=<your password>
ansible-playbook tools/docker-compose/ansible/plumb_vault.yml -e enable_ldap=true
```

This will populate your AWX instance with LDAP specific items.

- A vault LDAP Lookup Cred tied to the LDAP `awx_ldap_vault` user called `Vault LDAP Lookup Cred`
- A credential called `Credential From HashiCorp Vault via LDAP Auth` which is of the created type using the `Vault LDAP Lookup Cred` to get the secret.

And run it through AWX with the credential `Credential From HashiCorp Vault via LDAP Auth` tied to it, the debug should result in `this_is_the_ldap_secret_value`.

The extremely non-obvious input is the fact that the fact prefixes "data/" unexpectedly.
This was discovered by inspecting the secret with the vault CLI, which may help with future troubleshooting.
Expand Down
27 changes: 14 additions & 13 deletions tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2
Original file line number Diff line number Diff line change
Expand Up @@ -41,19 +41,6 @@ objectClass: inetOrgPerson
givenName: awx
userPassword: unpriv123

{% if enable_ldap|bool and enable_vault|bool %}
dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org
mail: vault@example.org
sn: LdapVaultAdmin
cn: {{ vault_ldap_username }}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {{ vault_ldap_password }}
givenName: awx
{% endif %}

dn: ou=groups,dc=example,dc=org
ou: groups
objectClass: top
Expand Down Expand Up @@ -96,3 +83,17 @@ cn: awx_org_admins
objectClass: top
objectClass: groupOfNames
member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org

{% if enable_ldap|bool and enable_vault|bool %}
dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org
changetype: add
mail: vault@example.org
sn: LdapVaultAdmin
cn: {{ vault_ldap_username }}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {{ vault_ldap_password }}
givenName: awx
{% endif %}
6 changes: 3 additions & 3 deletions tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
validate_certs: false
token: "{{ Initial_Root_Token }}"
data:
type: "ldap"
type: "ldap"
register: vault_auth_ldap
changed_when: vault_auth_ldap.result.errors | default([]) | length == 0
failed_when:
Expand Down Expand Up @@ -196,7 +196,7 @@
validate_certs: false
token: "{{ Initial_Root_Token }}"
data:
type: "userpass"
type: "userpass"
register: vault_auth_userpass
changed_when: vault_auth_userpass.result.errors | default([]) | length == 0
failed_when:
Expand All @@ -212,7 +212,7 @@
data:
password: "{{ vault_userpass_password }}"
policies:
- "userpass_engine"
- "userpass_engine"

always:
- name: Stop the vault
Expand Down
2 changes: 1 addition & 1 deletion tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
Original file line number Diff line number Diff line change
Expand Up @@ -173,4 +173,4 @@
secret_backend: "userpass_engine"
secret_key: "my_key"
secret_path: "userpass_root/userpass_secret"
secret_version: ""
secret_version: ""

0 comments on commit ade553b

Please sign in to comment.