Satellite Compute Resource Provider Password Update
Satellite Compute Resource Provider Password Update
Sometimes you may have an environment with strict requirements that even technical accounts have to be rotated by Privilege account manager(Cyberark etc.) regularly. That means any technical account used by the service has to be in-sync with the Privilege account manager. For this post, it will be shown you how to Compute Resource provider password updated regularly on Satellite, which is required if you are provisioning your RHEL systems to Virtualization Platforms(oVirt, vmWare etc.) via Satellite.
Assumption:
There is a single source of truth that passwords can be fetched from. For this example, our single source of truth is the HashiCorp Vault. So, the external script fetches a password from Privilige account manager and populates/updates secrets into the Vault.
The playbook is capable of updating any number of compute resource provider in different satellite instances.
You can access the Github repo.
Install Ansible Collection for Foreman
In order to interact with the Foreman API using Ansible, necessary collection must be installed. You can install it using ansible-galaxy
[user@rhel84 ~]$ ansible-galaxy collection install theforeman.foreman
Process install dependency map
Starting collection install process
Installing 'theforeman.foreman:3.7.0' to '/home/user/.ansible/collections/ansible_collections/theforeman/foreman'
---
# 'Satellite' is used interchangeably with 'Foreman'
- hosts: localhost
connection: local
gather_facts: False
vars:
# export VAULT_ADDR before running the playbok
hashi_vault_addr: "{{ lookup('env', 'VAULT_ADDR') }}"
# export VAULT_TOKEN before running the playbok
hashi_vault_token: "{{ lookup('env', 'VAULT_TOKEN') }}"
compute_profile:
address:
- url: "https://satellite1"
foreman_user: "secret/test/sat1:foreman_user"
foreman_password: "secret/test/sat1:foreman_password"
profiles:
# 'name' must be match the compute profiles in Satellite
# 'vault_secret' is the hashi corp secret location (v2)
- name: "cp1_1"
vault_secret: "secret/test/sat1:cp1_1"
- name: "cp1_2"
vault_secret: "secret/test/sat1:cp1_2"
- url: "https://satellite2"
foreman_user: "secret/test/sat2:foreman_user"
foreman_password: "secret/test/sat2:foreman_password"
profiles:
- name: "cp2_1"
vault_secret: "secret/test/sat2:cp2_1"
tasks:
- name: compute resource debug
debug:
# v2
#msg: "{{ item.0.url }} --- {{ lookup('hashi_vault', 'secret={}:data'.format(item.0.foreman_user))['value'] }} --- {{ lookup('hashi_vault', 'secret={}:data'.format(item.0.foreman_password))['value'] }} --- {{ item.1.name }} --- {{ lookup('hashi_vault', 'secret={}:data'.format(item.1.vault_secret))['value'] }}"
# v1
msg: "{{ item.0.url }} --- {{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_user)) }} --- {{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_password)) }} --- {{ item.1.name }} --- {{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.1.vault_secret)) }}"
with_subelements:
- "{{ compute_profile.address }}"
- profiles
- name: update vmware compute resource
theforeman.foreman.compute_resource:
name: "{{ item.1.name }}"
description: "Ansible Managed - Last update: {{ lookup('pipe', 'date +%Y%m%dT%H%M%S') }}"
validate_certs: no
provider: vmware
provider_params:
password: "{{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.1.vault_secret)) }}"
server_url: "{{ item.0.url }}"
username: "{{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_user)) }}"
password: "{{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_password)) }}"
state: present
with_subelements:
- "{{ compute_profile.address }}"
- profiles
# user$ /data/projects/experiments $ ansible-playbook update_cp.yaml
# [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
# PLAY [localhost] *****************************************************************************************************************************************************************************************************************************************************************
# TASK [compute resource debug] ****************************************************************************************************************************************************************************************************************************************************
# ok: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_1', 'vault_secret': 'secret/test/sat1:cp1_1'}]) => {
# "msg": "https://satellite1 --- ansibletest --- ansibletest --- cp1_1 --- passcp1_1"
# }
# ok: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_2', 'vault_secret': 'secret/test/sat1:cp1_2'}]) => {
# "msg": "https://satellite1 --- ansibletest --- ansibletest --- cp1_2 --- passcp1_2"
# }
# ok: [localhost] => (item=[{'url': 'https://satellite2', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp2_1', 'vault_secret': 'secret/test/sat2:cp2_1'}]) => {
# "msg": "https://satellite2 --- ansibletest --- ansibletest --- cp2_1 --- passcp2_1"
# }
# TASK [update vmware compute resource] ********************************************************************************************************************************************************************************************************************************************
# changed: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_1', 'vault_secret': 'secret/test/sat1:cp1_1'}])
# changed: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_2', 'vault_secret': 'secret/test/sat1:cp1_2'}])
# changed: [localhost] => (item=[{'url': 'https://satellite2', 'foreman_user': 'secret/test/sat2:foreman_user', 'foreman_password': 'secret/test/sat2:foreman_password'}, {'name': 'cp2_1', 'vault_secret': 'secret/test/sat2:cp2_1'}])
# PLAY RECAP ***********************************************************************************************************************************************************************************************************************************************************************
# localhost : ok=3 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0