Refactor docker-compose vault for TLS cert auth

Add TLS configuration to the docker-compose Vault configuration and use that method by default in vault plumbing. This ensures that the result of bringing up the docker-compose stack with vault enabled and running the plumb-vault playbook is a fully working credential retrieval setup using TLS client cert authentication. Signed-off-by: Andrew Austin <[email protected]>
ansible · Nov 3, 2023 · f4117fe · f4117fe
1 parent 61b3f62
commit f4117fe
Show file tree

Hide file tree

Showing 9 changed files with 109 additions and 10 deletions.
diff --git a/tools/docker-compose/ansible/plumb_vault.yml b/tools/docker-compose/ansible/plumb_vault.yml
@@ -2,6 +2,8 @@
 - name: Plumb AWX for Vault
   hosts: localhost
   gather_facts: False
+  vars:
+    awx_host: "https://127.0.0.1:8043"
   tasks:
     - include_role:
         name: vault

diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -30,6 +30,24 @@ ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}'
 ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}'
 ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
 
+# Hashicorp Vault
+enable_vault: false
+hashivault_cert_dir: '{{ sources_dest }}/vault_certs'
+hashivault_server_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=tools-vault-1"
+hashivault_server_cert_extensions:
+  - "subjectAltName = DNS:tools_vault_1, DNS:localhost"
+  - "keyUsage = digitalSignature, nonRepudiation"
+  - "extendedKeyUsage = serverAuth"
+hashivault_client_cert_extensions:
+  - "subjectAltName = DNS:awx-vault-client"
+  - "keyUsage = digitalSignature, nonRepudiation"
+  - "extendedKeyUsage = serverAuth, clientAuth"
+hashivault_client_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=awx-vault-client"
+hashivault_server_public_keyfile: '{{ hashivault_cert_dir }}/server.crt'
+hashivault_server_private_keyfile: '{{ hashivault_cert_dir }}/server.key'
+hashivault_client_public_keyfile: '{{ hashivault_cert_dir }}/client.crt'
+hashivault_client_private_keyfile: '{{ hashivault_cert_dir }}/client.key'
+
 # Metrics
 enable_splunk: false
 enable_grafana: false

diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
@@ -101,6 +101,10 @@
   include_tasks: ldap.yml
   when: enable_ldap | bool
 
+- name: Include vault TLS tasks if enabled
+  include_tasks: vault.yml
+  when: enable_vault | bool
+
 - name: Render Docker-Compose
   template:
     src: docker-compose.yml.j2

diff --git a/tools/docker-compose/ansible/roles/sources/tasks/vault.yml b/tools/docker-compose/ansible/roles/sources/tasks/vault.yml
@@ -0,0 +1,22 @@
+---
+- name: Create Hashicorp Vault cert directory
+  file:
+    path: "{{ hashivault_cert_dir }}"
+    state: directory
+
+- name: Generate vault server certificate
+  command: 'openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out {{ hashivault_server_public_keyfile }} -keyout {{ hashivault_server_private_keyfile }} -subj "{{ hashivault_server_cert_subject }}"{% for ext in hashivault_server_cert_extensions %} -addext "{{ ext }}"{% endfor %}'
+  args:
+    creates: "{{ hashivault_server_public_keyfile }}"
+
+- name: Generate vault test client certificate
+  command: 'openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out {{ hashivault_client_public_keyfile }} -keyout {{ hashivault_client_private_keyfile }} -subj "{{ hashivault_client_cert_subject }}"{% for ext in hashivault_client_cert_extensions %} -addext "{{ ext }}"{% endfor %}'
+  args:
+    creates: "{{ hashivault_client_public_keyfile }}"
+
+- name: Set mode for vault certificates
+  ansible.builtin.file:
+    path: "{{ hashivault_cert_dir }}"
+    recurse: true
+    state: directory
+    mode: 0777
diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -261,10 +261,11 @@ services:
     ports:
       - "1234:1234"
     environment:
-      VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:1234", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}'
+      VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:1234", "tls_disable": false, "tls_cert_file": "/vault/tls/server.crt", "tls_key_file": "/vault/tls/server.key"}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}'
     cap_add:
       - IPC_LOCK
     volumes:
+      - '../../docker-compose/_sources/vault_certs:/vault/tls'
       - 'hashicorp_vault_data:/vault/file'
 {% endif %}
 

diff --git a/tools/docker-compose/ansible/roles/vault/defaults/main.yml b/tools/docker-compose/ansible/roles/vault/defaults/main.yml
@@ -1,2 +1,6 @@
 ---
 vault_file: "{{ sources_dest }}/secrets/vault_init.yml"
+admin_password_file: "{{ sources_dest }}/secrets/admin_password.yml"
+vault_server_cert: "{{ sources_dest }}/vault_certs/server.crt"
+vault_client_cert: "{{ sources_dest }}/vault_certs/client.crt"
+vault_client_key: "{{ sources_dest }}/vault_certs/client.key"
diff --git a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
@@ -16,7 +16,8 @@
         command: vault operator init
         container: tools_vault_1
         env:
-          VAULT_ADDR: "http://127.0.0.1:1234"
+          VAULT_ADDR: "https://127.0.0.1:1234"
+          VAULT_SKIP_VERIFY: "true"
       register: vault_initialization
 
     - name: Write out initialization file
@@ -36,11 +37,33 @@
         name: vault
         tasks_from: unseal.yml
 
+    - name: Create a cert auth mount
+      flowerysong.hvault.write:
+        path: "sys/auth/cert"
+        vault_addr: "https://localhost:1234"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        data:
+          type: "cert"
+
+    - name: Configure client certificate
+      flowerysong.hvault.write:
+        path: "auth/cert/certs/awx-client"
+        vault_addr: "https://localhost:1234"
+        validate_certs: false
+        token: "{{ Initial_Root_Token }}"
+        data:
+          name: awx-client
+          certificate: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}') }}"
+          policies:
+            - root
+
     - name: Create an engine
       flowerysong.hvault.engine:
         path: "my_engine"
         type: "kv"
-        vault_addr: "http://localhost:1234"
+        vault_addr: "https://localhost:1234"
+        validate_certs: false
         token: "{{ Initial_Root_Token }}"
       register: engine
 
@@ -50,7 +73,8 @@
         key: "my_folder"
         value:
           my_key: "this_is_the_secret_value"
-        vault_addr: "http://localhost:1234"
+        vault_addr: "https://localhost:1234"
+        validate_certs: false
         token: "{{ Initial_Root_Token }}"
 
   always:

diff --git a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
@@ -3,27 +3,40 @@
   include_vars:
     file: "{{ vault_file }}"
 
+- name: Get AWX admin password
+  include_vars:
+    file: "{{ admin_password_file }}"
+
 - name: Create a HashiCorp Vault Credential
   awx.awx.credential:
     credential_type: HashiCorp Vault Secret Lookup
     name: Vault Lookup Cred
     organization: Default
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
     inputs:
       api_version: "v1"
-      cacert: ""
-      default_auth_path: "approle"
+      cacert: "{{ lookup('ansible.builtin.file', '{{ vault_server_cert }}') }}"
+      default_auth_path: "cert"
       kubernetes_role: ""
       namespace: ""
-      role_id: ""
-      secret_id: ""
+      client_cert_public: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}') }}"
+      client_cert_private: "{{ lookup('ansible.builtin.file', '{{ vault_client_key }}') }}"
       token: "{{ Initial_Root_Token }}"
-      url: "http://tools_vault_1:1234"
+      url: "https://tools_vault_1:1234"
   register: vault_cred
 
 - name: Create a custom credential type
   awx.awx.credential_type:
     name: Vault Custom Cred Type
     kind: cloud
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+
+    validate_certs: false
     injectors:
       extra_vars:
         the_secret_from_vault: "{{ '{{' }} password {{ '}}' }}"
@@ -38,6 +51,11 @@
 - name: Create a credential of the custom type
   awx.awx.credential:
     credential_type: "{{ custom_vault_cred_type.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+
+    validate_certs: false
     name: Credential From Vault
     inputs: {}
     organization: Default
@@ -48,6 +66,11 @@
     input_field_name: password
     target_credential: "{{ custom_credential.id }}"
     source_credential: "{{ vault_cred.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+
+    validate_certs: false
     metadata:
       auth_path: ""
       secret_backend: "my_engine"

diff --git a/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml b/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml
@@ -5,7 +5,8 @@
 
 - name: Unseal the vault
   flowerysong.hvault.seal:
-    vault_addr: "http://localhost:1234"
+    vault_addr: "https://localhost:1234"
+    validate_certs: false
     state: unsealed
     key: "{{ item }}"
   loop: