|
Packit Service |
0a38ef |
Vault module
|
|
Packit Service |
0a38ef |
===================
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Description
|
|
Packit Service |
0a38ef |
-----------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The vault module allows to ensure presence and absence of vault and members of vaults.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Features
|
|
Packit Service |
0a38ef |
--------
|
|
Packit Service |
0a38ef |
* Vault management
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Supported FreeIPA Versions
|
|
Packit Service |
0a38ef |
--------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Requirements
|
|
Packit Service |
0a38ef |
------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Controller**
|
|
Packit Service |
0a38ef |
* Ansible version: 2.8+
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Node**
|
|
Packit Service |
0a38ef |
* Supported FreeIPA version (see above)
|
|
Packit Service |
0a38ef |
* KRA service must be enabled
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Usage
|
|
Packit Service |
0a38ef |
=====
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example inventory file
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```ini
|
|
Packit Service |
0a38ef |
[ipaserver]
|
|
Packit Service |
0a38ef |
ipaserver.test.local
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
password: SomeVAULTpassword
|
|
Packit Service |
0a38ef |
description: A standard private vault.
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure that a vault and its members are present:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
users: user01
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure that a vault member is present in vault:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
users: user01
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure that a vault owner is absent in vault:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
owner: user01
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure vault data is present in a symmetric vault:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
password: SomeVAULTpassword
|
|
Packit Service |
0a38ef |
data: >
|
|
Packit Service |
0a38ef |
Data archived.
|
|
Packit Service |
0a38ef |
More data archived.
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
a166ed |
- name: Retrieve data from vault and register it in 'ipavault'
|
|
Packit Service |
a166ed |
ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
password: SomeVAULTpassword
|
|
Packit Service |
0a38ef |
state: retrieved
|
|
Packit Service |
a166ed |
no_log: yes
|
|
Packit Service |
a166ed |
register: ipavault
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
- name: Print retrieved data from vault
|
|
Packit Service |
a166ed |
debug:
|
|
Packit Service |
a166ed |
var: ipavault.vault.data
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure vault data is absent in a symmetric vault:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
password: SomeVAULTpassword
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
Example playbook to change the password of a symmetric:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to handle vaults
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- ipavault:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: symvault
|
|
Packit Service |
a166ed |
old_password: SomeVAULTpassword
|
|
Packit Service |
a166ed |
new_password: SomeNEWpassword
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
0a38ef |
Example playbook to make sure vault is absent:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle vaults
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- ipavault:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: symvault
|
|
Packit Service |
0a38ef |
username: admin
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
register: result
|
|
Packit Service |
0a38ef |
- debug:
|
|
Packit Service |
a166ed |
msg: "{{ result.vault.data }}"
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variables
|
|
Packit Service |
0a38ef |
=========
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ipavault
|
|
Packit Service |
0a38ef |
-------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
0a38ef |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
0a38ef |
`name` \| `cn` | The list of vault name strings. | yes
|
|
Packit Service |
0a38ef |
`description` | The vault description string. | no
|
|
Packit Service |
0a38ef |
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
|
Packit Service |
a166ed |
`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
|
|
Packit Service |
a166ed |
`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
|
|
Packit Service |
a166ed |
`new_password` | Vault new password. | no
|
|
Packit Service |
a166ed |
`new_password_file` | File containing Base64 encoded new Vault password. | no
|
|
Packit Service |
a166ed |
`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
|
|
Packit Service |
0a38ef |
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
|
|
Packit Service |
0a38ef |
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
|
|
Packit Service |
0a38ef |
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
|
|
Packit Service |
0a38ef |
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
|
|
Packit Service |
0a38ef |
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
|
|
Packit Service |
0a38ef |
`user` \| `username` | Any user can own one or more user vaults. | no
|
|
Packit Service |
0a38ef |
`service` | Any service can own one or more service vaults. | no
|
|
Packit Service |
0a38ef |
`shared` | Vault is shared. Default to false. (bool) | no
|
|
Packit Service |
0a38ef |
`users` | Users that are members of the vault. | no
|
|
Packit Service |
0a38ef |
`groups` | Groups that are member of the vault. | no
|
|
Packit Service |
0a38ef |
`services` | Services that are member of the vault. | no
|
|
Packit Service |
0a38ef |
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
|
|
Packit Service |
0a38ef |
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
|
|
Packit Service |
0a38ef |
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
|
|
Packit Service |
0a38ef |
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
|
|
Packit Service |
0a38ef |
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Return Values
|
|
Packit Service |
0a38ef |
=============
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ipavault
|
|
Packit Service |
0a38ef |
--------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
There is only a return value if `state` is `retrieved`.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Returned When
|
|
Packit Service |
0a38ef |
-------- | ----------- | -------------
|
|
Packit Service |
a166ed |
`vault` | Vault dict with archived data. (dict) Options: | If `state` is `retrieved` and `out` is not defined.
|
|
Packit Service |
a166ed |
| `data` - The vault data. | Always
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Notes
|
|
Packit Service |
0a38ef |
=====
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ipavault uses a client context to execute, and it might affect execution time.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Authors
|
|
Packit Service |
0a38ef |
=======
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Rafael Jeffman
|