diff options
Diffstat (limited to 'tools/docker-compose/ansible/roles/vault/tasks')
| -rw-r--r-- | tools/docker-compose/ansible/roles/vault/tasks/initialize.yml | 68 | ||||
| -rw-r--r-- | tools/docker-compose/ansible/roles/vault/tasks/plumb.yml | 50 |
2 files changed, 0 insertions, 118 deletions
diff --git a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml index 8c7230c6d1..ac7d60b8ec 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml @@ -92,74 +92,6 @@ validate_certs: false token: "{{ Initial_Root_Token }}" - - name: Configure the vault ldap auth - block: - - name: Create ldap auth mount - flowerysong.hvault.write: - path: "sys/auth/ldap" - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - data: - type: "ldap" - register: vault_auth_ldap - changed_when: vault_auth_ldap.result.errors | default([]) | length == 0 - failed_when: - - vault_auth_ldap.result.errors | default([]) | length > 0 - - "'path is already in use at ldap/' not in vault_auth_ldap.result.errors | default([])" - - - name: Create ldap engine - flowerysong.hvault.engine: - path: "ldap_engine" - type: "kv" - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - - - name: Create a ldap secret - flowerysong.hvault.kv: - mount_point: "ldap_engine/ldaps_root" - key: "ldap_secret" - value: - my_key: "this_is_the_ldap_secret_value" - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - - - name: Configure ldap auth - flowerysong.hvault.ldap_config: - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - url: "ldap://ldap:1389" - binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org" - bindpass: "vault123" - userdn: "ou=users,dc=example,dc=org" - deny_null_bind: "false" - discoverdn: "true" - - - name: Create ldap access policy - flowerysong.hvault.policy: - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - name: "ldap_engine" - policy: - ldap_engine/*: [create, read, update, delete, list] - sys/mounts:/*: [create, read, update, delete, list] - sys/mounts: [read] - - - name: Add awx_ldap_vault user to auth_method - flowerysong.hvault.ldap_user: - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - state: present - name: "{{ vault_ldap_username }}" - policies: - - "ldap_engine" - when: enable_ldap | bool - - name: Create userpass engine flowerysong.hvault.engine: path: "userpass_engine" diff --git a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml index 0e87daef6f..f3fc709b84 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml @@ -78,56 +78,6 @@ secret_path: "/my_root/my_folder" secret_version: "" -- name: Create a HashiCorp Vault Credential for LDAP - awx.awx.credential: - credential_type: HashiCorp Vault Secret Lookup - name: Vault LDAP Lookup Cred - organization: Default - controller_host: "{{ awx_host }}" - controller_username: admin - controller_password: "{{ admin_password }}" - validate_certs: false - inputs: - api_version: "v1" - default_auth_path: "ldap" - kubernetes_role: "" - namespace: "" - url: "{{ vault_addr_from_container }}" - username: "{{ vault_ldap_username }}" - password: "{{ vault_ldap_password }}" - register: vault_ldap_cred - when: enable_ldap | bool - -- name: Create a credential from the Vault LDAP Custom Cred Type - awx.awx.credential: - credential_type: "{{ custom_vault_cred_type.id }}" - controller_host: "{{ awx_host }}" - controller_username: admin - controller_password: "{{ admin_password }}" - validate_certs: false - name: Credential From HashiCorp Vault via LDAP Auth - inputs: {} - organization: Default - register: custom_credential_via_ldap - when: enable_ldap | bool - -- name: Use the Vault LDAP Credential the new credential - awx.awx.credential_input_source: - input_field_name: password - target_credential: "{{ custom_credential_via_ldap.id }}" - source_credential: "{{ vault_ldap_cred.id }}" - controller_host: "{{ awx_host }}" - controller_username: admin - controller_password: "{{ admin_password }}" - validate_certs: false - metadata: - auth_path: "" - secret_backend: "ldap_engine" - secret_key: "my_key" - secret_path: "ldaps_root/ldap_secret" - secret_version: "" - when: enable_ldap | bool - - name: Create a HashiCorp Vault Credential for UserPass awx.awx.credential: credential_type: HashiCorp Vault Secret Lookup |