diff --git a/Makefile b/Makefile index 87a7cd38a877..e3c392231dfa 100644 --- a/Makefile +++ b/Makefile @@ -539,7 +539,7 @@ docker-compose: awx/projects docker-compose-sources ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \ -e enable_vault=$(VAULT) \ -e vault_tls=$(VAULT_TLS) \ - -e enable_ldap=$(LDAP); + -e enable_ldap=$(LDAP); $(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans docker-compose-credential-plugins: awx/projects docker-compose-sources diff --git a/tools/docker-compose/README.md b/tools/docker-compose/README.md index d7babd62047b..dbd1a3a00a83 100644 --- a/tools/docker-compose/README.md +++ b/tools/docker-compose/README.md @@ -538,13 +538,15 @@ To create a secret connected to this vault in AWX you can run the following play ```bash export CONTROLLER_USERNAME= export CONTROLLER_PASSWORD= -ansible-playbook tools/docker-compose/ansible/plumb_vault.yml +ansible-playbook tools/docker-compose/ansible/plumb_vault.yml -e enable_ldap=false ``` This will create the following items in your AWX instance: * A credential called `Vault Lookup Cred` tied to the vault instance. +* A credential called `Vault UserPass Lookup Cred` tied to the vault instance. * A custom credential type called `Vault Custom Cred Type`. -* A credential called `Credential From Vault` which is of the created type using the `Vault Lookup Cred` to get the password. +* A credential called `Credential From HashiCorp Vault via Token Auth` which is of the created type using the `Vault Lookup Cred` to get the secret. +* A credential called `Credential From HashiCorp Vault via UserPass Auth` which is of the created type using the `Vault Userpass Lookup Cred` to get the secret. The custom credential type adds a variable when used in a playbook called `the_secret_from_vault`. If you have a playbook like: @@ -559,7 +561,46 @@ If you have a playbook like: var: the_secret_from_vault ``` -And run it through AWX with the credential `Credential From Vault` tied to it, the debug should result in `this_is_the_secret_value` +And run it through AWX with the credential `Credential From Vault via Token Auth` tied to it, the debug should result in `this_is_the_secret_value`. If you run it through AWX with the credential `Credential From Vault via Userpass Auth`, the debug should result in `this_is_the_userpass_secret_value`. + +### HashiVault with LDAP + +If you wish to have your OpenLDAP container connected to the Vault container, you will first need to have the OpenLDAP container running alongside AWX and Vault. + + +```bash + +VAULT=true LDAP=true make docker-compose + +``` + +Similar to the above, you will need to unseal the vault before we can run the other needed playbooks. + +```bash + +ansible-playbook tools/docker-compose/ansible/unseal_vault.yml + +``` + +Now that the vault is unsealed, we can plumb the vault container now while passing true to enable_ldap extra var. + + +```bash + +export CONTROLLER_USERNAME= + +export CONTROLLER_PASSWORD= + +ansible-playbook tools/docker-compose/ansible/plumb_vault.yml -e enable_ldap=true + +``` + +This will populate your AWX instance with LDAP specific items. + +- A vault LDAP Lookup Cred tied to the LDAP `awx_ldap_vault` user called `Vault LDAP Lookup Cred` +- A credential called `Credential From HashiCorp Vault via LDAP Auth` which is of the created type using the `Vault LDAP Lookup Cred` to get the secret. + +And run it through AWX with the credential `Credential From HashiCorp Vault via LDAP Auth` tied to it, the debug should result in `this_is_the_ldap_secret_value`. The extremely non-obvious input is the fact that the fact prefixes "data/" unexpectedly. This was discovered by inspecting the secret with the vault CLI, which may help with future troubleshooting. diff --git a/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 b/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 index a4988d729c6f..9deaf836cd61 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 @@ -41,19 +41,6 @@ objectClass: inetOrgPerson givenName: awx userPassword: unpriv123 -{% if enable_ldap|bool and enable_vault|bool %} -dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org -mail: vault@example.org -sn: LdapVaultAdmin -cn: {{ vault_ldap_username }} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -userPassword: {{ vault_ldap_password }} -givenName: awx -{% endif %} - dn: ou=groups,dc=example,dc=org ou: groups objectClass: top @@ -96,3 +83,17 @@ cn: awx_org_admins objectClass: top objectClass: groupOfNames member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org + +{% if enable_ldap|bool and enable_vault|bool %} +dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org +changetype: add +mail: vault@example.org +sn: LdapVaultAdmin +cn: {{ vault_ldap_username }} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +userPassword: {{ vault_ldap_password }} +givenName: awx +{% endif %} diff --git a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml index e01cc95a8761..6168d5497f12 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml @@ -101,7 +101,7 @@ validate_certs: false token: "{{ Initial_Root_Token }}" data: - type: "ldap" + type: "ldap" register: vault_auth_ldap changed_when: vault_auth_ldap.result.errors | default([]) | length == 0 failed_when: @@ -196,7 +196,7 @@ validate_certs: false token: "{{ Initial_Root_Token }}" data: - type: "userpass" + type: "userpass" register: vault_auth_userpass changed_when: vault_auth_userpass.result.errors | default([]) | length == 0 failed_when: @@ -212,7 +212,7 @@ data: password: "{{ vault_userpass_password }}" policies: - - "userpass_engine" + - "userpass_engine" always: - name: Stop the vault diff --git a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml index fc999bd7d36a..0e87daef6fa5 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml @@ -173,4 +173,4 @@ secret_backend: "userpass_engine" secret_key: "my_key" secret_path: "userpass_root/userpass_secret" - secret_version: "" \ No newline at end of file + secret_version: ""