Issue
In order to improve my AWX management for my team, i'm currently trying to configure Hashicorp Vault Credentials but i'm having some errors and doubt.
Usually in my Ansible project I run from a Debian server, I'm used to set up Vault secrets using lookup like this (works in var file or within vars:)
### Vault Configuration
ansible_hashi_vault_token="{{ lookup('env','VAULT_ANSIBLE') }}"
my_secret="{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', token=ansible_hashi_vault_token) }}"
#### Credentials (compte de service ansible) ####
ansible_user="{{ my_secret.secret.ansible_user_from_vault}}"
Ansible will seek for an environment variable which is called 'VAULT_ANSIBLE' that is the result token of an AppRole call to my vault server. It allows to run playbook without writing any token in the code.
Now after adding project in AWX, i'm trying to make the Vault part working =>
I created Credentials with HashiCorp Vault Secret Lookup as you can see here. Simply add Server URL + Token for testing.
When I click on Test, no matter what secrets I want to retrieve I always have this error
Here's my questions :
- which log file can give me more information about the credentials/api call to Vault?
- Is there any thing I miss for this peculiar configuration ? I tried to add my root.CA in the corresponding field, but still the same error.
- is there a proper way/another way to use Vault lookup within AWX ?
I saw on many forum that people are creating custom Credential Types, then use an Injector to use vault lookup.
Thanks a lot for your help Gael
EDIT 12 12 2023 Found the logs (using kubectl logs my-pod) corresponding to the Test credential. Seems to be a django Bad Request but don't know how to investigate that;
2023-12-12 14:40:40,628 WARNING [4fdf7cfc36804499b34fa50a28369fb7] awx.api.generics status 400 received by user admin attempting to access /api/v2/credentials/5/test/ from 10.10.10.10
2023-12-12 14:40:40,635 WARNING [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
2023-12-12 14:40:40,635 WARNING [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
10.10.10.10 - - [12/Dec/2023:14:40:40 +0000] "POST /api/v2/credentials/5/test/ HTTP/1.1" 400 21 "https://my-awx.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" "10.230.173.133"
[pid: 23|app: 0|req: 228/1089] 172.20.245.206 () {72 vars in 2440 bytes} [Tue Dec 12 14:40:40 2023] POST /api/v2/credentials/5/test/ => generated 21 bytes in 76 msecs (HTTP/1.1 400) 14 headers in 598 bytes (1 switches on core 0)
Solution
After many tests and troubleshoot, finally ends up with a working solution :
- I provided the root + intermediate certificate as a pem file in the credentials settings (be careful to have the correct cert, in the correct order, in pem format : intermediate + root
- From this, it moves from
SSLError
toHTTP 404
- After some tests the perfect setting to make it work was this one
I perform some other test without certificate and I have SSLError everytime.
Conclusion : you should provide your custom CA content or as a file in the credentials settings.
Answered By - motorbass
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.