eigenstate-ipa

eigenstate.ipa

eigenstate.ipa is an Ansible collection for Red Hat IdM / FreeIPA. It treats IdM as a live automation system of record for inventory, secrets, Kerberos material, certificates, DNS, and access policy instead of forcing those surfaces into separate inventory files, ad hoc shell scripts, or external stores.

Current release: 1.10.3

Start Here

Use the collection-wide pages in this order when you are orienting yourself:

DOCUMENTATION MAP for reading order and problem-based navigation
VAULT/CYBERARK PRIMER if you are translating Vault or CyberArk expectations into an IdM-native model
OPENSHIFT ECOSYSTEM PRIMER if OpenShift, RHOSO, or adjacent platform products already sit on top of IdM-backed trust and the question is the workflow around the platform
AAP INTEGRATION if the workflow runs in Controller or an execution environment
ROTATION CAPABILITIES if the question is scheduled lifecycle management rather than one lookup call
EPHEMERAL ACCESS CAPABILITIES if the question is temporary access or lease-like behavior inside IdM

How The Docs Work

Every plugin area uses the same three-page shape:

plugin pages for exact syntax, auth behavior, return data, and option details
capabilities pages for decision boundaries and operational fit
use cases pages for worked playbook patterns and cross-plugin flow

That split is intentional. The reference pages should stay precise. The capability pages should answer “is this the right boundary?” The use-case pages should show how the pieces combine without restating the full reference.

High-Value Workflows

These are the combinations that matter most in practice and are worth reading as workflows rather than as isolated plugins.

Workflow	Main combination	Start here
Identity-driven targeting	`idm` inventory + host metadata + HBAC-backed grouping	Inventory Use Cases
Service onboarding	`principal` pre-flight + `keytab` retrieval + optional `cert` issuance	Principal Use Cases
TLS bootstrap and renewal	`cert` + `vault_write` for private key archival + `vault` retrieval	Cert Use Cases
Static secret lifecycle	`vault_write` mutation + `vault` retrieval + AAP scheduling	Rotation Use Cases
Lease-like temporary access	`user_lease` for delegated temporary users or `principal` + `keytab` retirement for machine identity	Ephemeral Access Capabilities
Host enrollment	`otp` bootstrap + official IdM enrollment modules + `principal` verification	OTP Use Cases
Policy validation before change	`hbacrule` + `selinuxmap` + `sudo` + optional `dns`/`principal` checks	AAP Integration
Sealed artifact delivery	`cert` recipient + `vault_write` archive + `vault` retrieval	Vault Use Cases
OpenShift platform workflows	Keycloak + IdM trust + AAP workflows for break-glass, guest enrollment, RHOSO operator paths, RHOSO tenant onboarding, RHACM remediation, RHACS response paths, Quay automation, and service onboarding	OpenShift Ecosystem Primer

Plugin Families

Area	Reference	Capabilities	Use cases
Inventory	Inventory Plugin	Inventory Capabilities	Inventory Use Cases
Vault retrieval	Vault Plugin	Vault Capabilities	Vault Use Cases
Vault lifecycle	Vault Write Module	Vault Write Capabilities	Vault Write Use Cases
Principal state	Principal Plugin	Principal Capabilities	Principal Use Cases
Keytabs	Keytab Plugin	Keytab Capabilities	Keytab Use Cases
User lease	User Lease Module	User Lease Capabilities	User Lease Use Cases
Certificates	Cert Plugin	Cert Capabilities	Cert Use Cases
OTP and enrollment	OTP Plugin	OTP Capabilities	OTP Use Cases
DNS state	DNS Plugin	DNS Capabilities	DNS Use Cases
SELinux maps	SELinux Map Plugin	SELinux Map Capabilities	SELinux Map Use Cases
Sudo policy	Sudo Plugin	Sudo Capabilities	Sudo Use Cases
HBAC rules	HBAC Rule Plugin	HBAC Rule Capabilities	HBAC Rule Use Cases

Collection-Wide Guides

VAULT/CYBERARK PRIMER explains where the collection overlaps with Vault or CyberArk and where it does not
OPENSHIFT ECOSYSTEM PRIMER frames the collection for OpenShift-adjacent estates using Keycloak and IdM-backed trust
OPENSHIFT OPERATOR USE CASES focuses on cluster-admin and OpenShift Virtualization workflows
OPENSHIFT RHOSO USE CASES frames the RHOSO branch around cloud-operator and tenant identity boundaries
RHOSO OPERATOR USE CASES focuses on operator maintenance windows, data-plane host access, and supporting cloud services
RHOSO TENANT USE CASES focuses on tenant identity separation, delegated interventions, and tenant-facing service onboarding
OPENSHIFT RHACM USE CASES focuses on RHACM policy events and cluster lifecycle hooks
OPENSHIFT RHACS USE CASES focuses on RHACS findings, enforcement, and identity-aware response workflows
OPENSHIFT QUAY USE CASES focuses on Quay identity, mirroring, repository notifications, and registry onboarding workflows
OPENSHIFT DEVELOPER USE CASES focuses on app-team onboarding and developer-facing platform workflows
AAP INTEGRATION explains execution-environment dependencies, non-interactive auth, and controller-side patterns
ROTATION CAPABILITIES explains the collection-wide rotation model for static assets
ROTATION USE CASES shows scheduled workflows built from the collection primitives
EPHEMERAL ACCESS CAPABILITIES explains IdM-native lease-like temporary access patterns for users and Kerberos principals

Best Fit

This collection fits best when:

IdM or FreeIPA already exists and should remain the source of truth
Kerberos-authenticated controller-side automation is preferable to external token systems
the workflow is static-secret retrieval, keytabs, certs, DNS, identity-aware inventory, or access-policy validation
AAP is available for scheduling, approvals, credential injection, and repeatable execution environments

For the repository overview and install path, return to TOP README.

This site is open source. Improve this page.