diff options
| author | John Westcott IV <john.westcott.iv@redhat.com> | 2023-04-13 21:02:08 +0200 |
|---|---|---|
| committer | John Westcott IV <john.westcott.iv@redhat.com> | 2023-04-13 21:02:08 +0200 |
| commit | 8719648ff56e06a1cbd6eee14d06f04323e8b787 (patch) | |
| tree | b56ec95ba6199ed65450539149b554441a4c3374 /tools/docker-compose | |
| parent | Fixes #13402 allow user defined key retrieval from CYBR (#13411) (diff) | |
| download | awx-8719648ff56e06a1cbd6eee14d06f04323e8b787.tar.xz awx-8719648ff56e06a1cbd6eee14d06f04323e8b787.zip | |
Adding tacacs+ container for testing
Diffstat (limited to 'tools/docker-compose')
4 files changed, 71 insertions, 0 deletions
diff --git a/tools/docker-compose/README.md b/tools/docker-compose/README.md index b450398ee0..e071f33923 100644 --- a/tools/docker-compose/README.md +++ b/tools/docker-compose/README.md @@ -244,6 +244,7 @@ $ make docker-compose - [SAML and OIDC Integration](#saml-and-oidc-integration) - [OpenLDAP Integration](#openldap-integration) - [Splunk Integration](#splunk-integration) +- [tacacs+ Integration](#tacacs+-integration) ### Start a Shell @@ -472,6 +473,29 @@ ansible-playbook tools/docker-compose/ansible/plumb_splunk.yml Once the playbook is done running Splunk should now be setup in your development environment. You can log into the admin console (see above for username/password) and click on "Searching and Reporting" in the left hand navigation. In the search box enter `source="http:tower_logging_collections"` and click search. +### - tacacs+ Integration + +tacacs+ is an networking protocol that provides external authentication which can be used with AWX. This section describes how to build a reference tacacs+ instance and plumb it with your AWX for testing purposes. + +First, be sure that you have the awx.awx collection installed by running `make install_collection`. + +Anytime you want to run a tacacs+ instance alongside AWX we can start docker-compose with the TACACS option to get a containerized instance with the command: +```bash +TACACS=true make docker-compose +``` + +Once the containers come up a new port (49) should be exposed and the tacacs+ server should be running on those ports. + +Now we are ready to configure and plumb tacacs+ with AWX. To do this we have provided a playbook which will: +* Backup and configure the tacacsplus adapter in AWX. NOTE: this will back up your existing settings but the password fields can not be backed up through the API, you need a DB backup to recover this. + +```bash +export CONTROLLER_USERNAME=<your username> +export CONTROLLER_PASSWORD=<your password> +ansible-playbook tools/docker-compose/ansible/plumb_tacacs.yml +``` + +Once the playbook is done running tacacs+ should now be setup in your development environment. This server has the accounts listed on https://hub.docker.com/r/dchidell/docker-tacacs ### Prometheus and Grafana integration diff --git a/tools/docker-compose/ansible/plumb_tacacs.yml b/tools/docker-compose/ansible/plumb_tacacs.yml new file mode 100644 index 0000000000..c7dcbe5e22 --- /dev/null +++ b/tools/docker-compose/ansible/plumb_tacacs.yml @@ -0,0 +1,32 @@ +--- +- name: Plumb a tacacs+ instance + hosts: localhost + connection: local + gather_facts: False + vars: + awx_host: "https://localhost:8043" + tasks: + - name: Load existing and new tacacs+ settings + set_fact: + existing_tacacs: "{{ lookup('awx.awx.controller_api', 'settings/tacacsplus', host=awx_host, verify_ssl=false) }}" + new_tacacs: "{{ lookup('template', 'tacacsplus_settings.json.j2') }}" + + - name: Display existing tacacs+ configuration + debug: + msg: + - "Here is your existing tacacsplus configuration for reference:" + - "{{ existing_tacacs }}" + + - pause: + prompt: "Continuing to run this will replace your existing tacacs settings (displayed above). They will all be captured. Be sure that is backed up before continuing" + + - name: Write out the existing content + copy: + dest: "../_sources/existing_tacacsplus_adapter_settings.json" + content: "{{ existing_tacacs }}" + + - name: Configure AWX tacacs+ adapter + awx.awx.settings: + settings: "{{ new_tacacs }}" + controller_host: "{{ awx_host }}" + validate_certs: False diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index 7badd37181..6bc49347b2 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -175,6 +175,14 @@ services: depends_on: - prometheus {% endif %} +{% if enable_tacacs|bool %} + tacacs: + image: dchidell/docker-tacacs + container_name: tools_tacacs_1 + hostname: tacacs + ports: + - "49:49" +{% endif %} # A useful container that simply passes through log messages to the console # helpful for testing awx/tower logging # logstash: diff --git a/tools/docker-compose/ansible/templates/tacacsplus_settings.json.j2 b/tools/docker-compose/ansible/templates/tacacsplus_settings.json.j2 new file mode 100644 index 0000000000..fe9dd8c391 --- /dev/null +++ b/tools/docker-compose/ansible/templates/tacacsplus_settings.json.j2 @@ -0,0 +1,7 @@ +{ + "TACACSPLUS_HOST": "tacacs", + "TACACSPLUS_PORT": 49, + "TACACSPLUS_SECRET": "ciscotacacskey", + "TACACSPLUS_SESSION_TIMEOUT": 5, + "TACACSPLUS_AUTH_PROTOCOL": "ascii" +} |