Regarding your docker issue; IPA expects more than just a file and a config directory,
you
can check the source code for ipaclient, the cli and the modules it imports, you’ll see
a
large amount of checks it’s using to find out if the install is OK and working.
If you just want to use a few specific things, you are probably better off using the
REST
API and writing a normal localised client yourself. For authentication you can then use
username+password or a kerberos keytab.
Yes, this is what we are using now, to access the Vault... we mount a keytab for IPA
service and use it with REST API (username/password is not an option, we don't want to
save it in a file for unattended usage... although keytab is not too much more secure, but
it's still better). So it works, but using the ipa client for this would be more
convenient than implementing our own wrapper. We only need the vault-related commands.
I would not recommend using a docker container that impersonates the
host it’s running on,
but then I’d also not recommend enrolling every docker instance that ever gets started.
Well, that's exactly the point. I think there is no "nicer" solution for
this really, without the need to enroll each and every docker container (which is a bad
idea, especially when there are ephemeral containers that come and go), and all this just
to be able to read a secret stored in a Vault.
I am not exactly impersonating the parent host... only partially. I create an IPA service
(which is bound to the parent host indeed, until we get host-independed IPA services -
supported in future FreeIPA releases) and I get a keytab for it. Strictly speaking, my
container just authenticates to the IPA as that particular service. And ideally this would
not require any hack. All the hacks are required only because otherwise neither Kerberos
nor ipa client work from within the container without it in our current release...
I
think a similar question was asked on this list a few weeks ago, have
you checked the
recent archives?
John
I think that was my own question actually =) The answer there was generic (but so was my
question at that stage). Since then - I've implemented this method with keytab and IPA
service, and made it work, except that the ipa client is still reluctant to work... I was
hoping just to use it instead of developing our own wrapper for REST API.
I saw this thread where it seems to be possible, but somehow it doesn't work for
me...
https://pagure.io/freeipa/issue/6389