diff options
| author | Andrew Austin <acaustin@summerpanic.com> | 2023-12-06 20:12:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-06 20:12:15 +0100 |
| commit | 6aa2997dcec6516bbfab427fcbdb17474644d605 (patch) | |
| tree | 7569342eca7a0a29be06e2dc7e20449aee465605 /Makefile | |
| parent | separate tox calls in readthedocs config (#14673) (diff) | |
| download | awx-6aa2997dcec6516bbfab427fcbdb17474644d605.tar.xz awx-6aa2997dcec6516bbfab427fcbdb17474644d605.zip | |
Add TLS certificate auth for HashiCorp Vault (#14534)
* Add TLS certificate auth for HashiCorp Vault
Add support for AWX to authenticate with HashiCorp Vault using
TLS client certificates.
Also updates the documentation for the HashiCorp Vault secret management
plugins to include both the new TLS options and the missing Kubernetes
auth method options.
Signed-off-by: Andrew Austin <aaustin@redhat.com>
* Refactor docker-compose vault for TLS cert auth
Add TLS configuration to the docker-compose Vault configuration and
use that method by default in vault plumbing.
This ensures that the result of bringing up the docker-compose stack
with vault enabled and running the plumb-vault playbook is a fully
working credential retrieval setup using TLS client cert authentication.
Signed-off-by: Andrew Austin <aaustin@redhat.com>
* Remove incorrect trailing space
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
* Make vault init idempotent
- improve error handling for vault_initialization
- ignore error if vault cert auth is already configured
- removed unused register
* Add VAULT_TLS option
Make TLS for HashiCorp Vault optional and configurable via VAULT_TLS env var
* Add retries for vault init
Sometime it took longer for vault to fully come up and init will fail
---------
Signed-off-by: Andrew Austin <aaustin@redhat.com>
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
Co-authored-by: Hao Liu <haoli@redhat.com>
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -43,6 +43,8 @@ PROMETHEUS ?= false GRAFANA ?= false # If set to true docker-compose will also start a hashicorp vault instance VAULT ?= false +# If set to true docker-compose will also start a hashicorp vault instance with TLS enabled +VAULT_TLS ?= false # If set to true docker-compose will also start a tacacs+ instance TACACS ?= false @@ -528,13 +530,15 @@ docker-compose-sources: .git/hooks/pre-commit -e enable_prometheus=$(PROMETHEUS) \ -e enable_grafana=$(GRAFANA) \ -e enable_vault=$(VAULT) \ + -e vault_tls=$(VAULT_TLS) \ -e enable_tacacs=$(TACACS) \ $(EXTRA_SOURCES_ANSIBLE_OPTS) docker-compose: awx/projects docker-compose-sources ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml; ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \ - -e enable_vault=$(VAULT); + -e enable_vault=$(VAULT) \ + -e vault_tls=$(VAULT_TLS); $(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans docker-compose-credential-plugins: awx/projects docker-compose-sources |