manintheit.org
Posts Tags Categories Gallery
manintheit.org

Contents

Satellite Compute Resource Provider Password Update

 included in Security
   594 words   3 minutes 

Satellite Compute Resource Provider Password Update

Sometimes you may have an environment with strict requirements that even technical accounts have to be rotated by Privilege account manager(Cyberark etc.) regularly. That means any technical account used by the service has to be in-sync with the Privilege account manager. For this post, it will be shown you how to Compute Resource provider password updated regularly on Satellite, which is required if you are provisioning your RHEL systems to Virtualization Platforms(oVirt, vmWare etc.) via Satellite.

Assumption:

There is a single source of truth that passwords can be fetched from. For this example, our single source of truth is the HashiCorp Vault. So, the external script fetches a password from Privilige account manager and populates/updates secrets into the Vault.

The playbook is capable of updating any number of compute resource provider in different satellite instances.

You can access the Github repo.

Install Ansible Collection for Foreman

In order to interact with the Foreman API using Ansible, necessary collection must be installed. You can install it using ansible-galaxy

[user@rhel84 ~]$ ansible-galaxy collection install theforeman.foreman
Process install dependency map
Starting collection install process
Installing 'theforeman.foreman:3.7.0' to '/home/user/.ansible/collections/ansible_collections/theforeman/foreman'

---
# 'Satellite' is used interchangeably with 'Foreman'
- hosts:  localhost
  connection: local
  gather_facts: False
  vars:
    # export VAULT_ADDR before running the playbok
    hashi_vault_addr: "{{ lookup('env', 'VAULT_ADDR') }}"
    # export VAULT_TOKEN before running the playbok
    hashi_vault_token: "{{ lookup('env', 'VAULT_TOKEN')  }}"
    compute_profile:
      address:
      - url: "https://satellite1"
        foreman_user: "secret/test/sat1:foreman_user"
        foreman_password: "secret/test/sat1:foreman_password"
        profiles:
        # 'name' must be match the compute profiles in Satellite
        # 'vault_secret' is the hashi corp secret location (v2)
          - name: "cp1_1"
            vault_secret: "secret/test/sat1:cp1_1"
          - name: "cp1_2"
            vault_secret: "secret/test/sat1:cp1_2"
      - url:  "https://satellite2"
        foreman_user: "secret/test/sat2:foreman_user"
        foreman_password: "secret/test/sat2:foreman_password"
        profiles:
          - name: "cp2_1"
            vault_secret: "secret/test/sat2:cp2_1"
  tasks:
    - name:  compute resource debug
      debug:
        # v2
        #msg: "{{ item.0.url }} --- {{ lookup('hashi_vault', 'secret={}:data'.format(item.0.foreman_user))['value'] }} --- {{ lookup('hashi_vault', 'secret={}:data'.format(item.0.foreman_password))['value'] }} --- {{ item.1.name }} --- {{ lookup('hashi_vault', 'secret={}:data'.format(item.1.vault_secret))['value'] }}"
        # v1
        msg: "{{ item.0.url }} --- {{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_user)) }} --- {{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_password)) }} --- {{ item.1.name }} --- {{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.1.vault_secret)) }}"
      with_subelements:
      - "{{ compute_profile.address }}"
      - profiles

    - name: update vmware compute resource
      theforeman.foreman.compute_resource:
        name: "{{ item.1.name }}"
        description: "Ansible Managed - Last update: {{ lookup('pipe', 'date +%Y%m%dT%H%M%S') }}"
        validate_certs: no
        provider: vmware
        provider_params:
          password: "{{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.1.vault_secret)) }}"
        server_url: "{{ item.0.url }}"
        username: "{{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_user)) }}"
        password: "{{ lookup('hashi_vault', 'secret={} validate_certs=False'.format(item.0.foreman_password)) }}"
        state: present
      with_subelements:
      - "{{ compute_profile.address }}"
      - profiles

# user$ /data/projects/experiments $ ansible-playbook update_cp.yaml
# [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

# PLAY [localhost] *****************************************************************************************************************************************************************************************************************************************************************

# TASK [compute resource debug] ****************************************************************************************************************************************************************************************************************************************************
# ok: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_1', 'vault_secret': 'secret/test/sat1:cp1_1'}]) => {
#     "msg": "https://satellite1 --- ansibletest --- ansibletest --- cp1_1 --- passcp1_1"
# }
# ok: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_2', 'vault_secret': 'secret/test/sat1:cp1_2'}]) => {
#     "msg": "https://satellite1 --- ansibletest --- ansibletest --- cp1_2 --- passcp1_2"
# }
# ok: [localhost] => (item=[{'url': 'https://satellite2', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp2_1', 'vault_secret': 'secret/test/sat2:cp2_1'}]) => {
#     "msg": "https://satellite2 --- ansibletest --- ansibletest --- cp2_1 --- passcp2_1"
# }

# TASK [update vmware compute resource] ********************************************************************************************************************************************************************************************************************************************
# changed: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_1', 'vault_secret': 'secret/test/sat1:cp1_1'}])
# changed: [localhost] => (item=[{'url': 'https://satellite1', 'foreman_user': 'secret/test/sat1:foreman_user', 'foreman_password': 'secret/test/sat1:foreman_password'}, {'name': 'cp1_2', 'vault_secret': 'secret/test/sat1:cp1_2'}])
# changed: [localhost] => (item=[{'url': 'https://satellite2', 'foreman_user': 'secret/test/sat2:foreman_user', 'foreman_password': 'secret/test/sat2:foreman_password'}, {'name': 'cp2_1', 'vault_secret': 'secret/test/sat2:cp2_1'}])

# PLAY RECAP ***********************************************************************************************************************************************************************************************************************************************************************
# localhost                  : ok=3    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
Updated on 2022-11-11
 Security
Back | Home