An Ansible collection for Red Hat IdM / FreeIPA with dynamic inventory and IdM vault lookup plugins for Kerberos-friendly automation, AAP, and secure secret retrieval.
DOCS MAP INVENTORY PLUGIN IDM VAULT PLUGIN INVENTORY CAPABILITIES IDM VAULT CAPABILITIES INVENTORY USE CASES IDM VAULT USE CASES AAP INTEGRATION WEBSITE
eigenstate is a nod to the quantum-mechanical idea of a stable observable
state. In practice, the collection assumes IdM already knows what the estate
looks like and what secrets it should hand out. The Ansible side should consume
that state directly instead of maintaining a parallel copy in static inventory
files and side-channel secret stores.
The GitHub repository name is eigenstate-ipa; the Ansible collection name is
eigenstate.ipa.
- Why This Collection Exists
- What The Collection Contains
- Start Here
- Quick Install
- Repository Layout
- Author
- License
Ansible already has strong support for managing IdM objects. The missing piece has been consuming IdM as an input system:
- dynamic inventory from enrolled IdM hosts, hostgroups, netgroups, and HBAC policy
- secret retrieval from IdM vaults without copying those values into Git or inventory vars
Without those two paths, operators usually end up with:
- static inventory that drifts from the enrollment reality
- policy data duplicated outside the identity platform
- credentials copied into other stores because automation cannot read IdM vaults
This collection closes that gap with one inventory plugin and one lookup plugin.
At a high level:
eigenstate.ipa.idmreads IdM hosts, hostgroups, netgroups, and HBAC rules and turns them into Ansible inventoryeigenstate.ipa.vaultusesipalibto retrieve, inspect, and search IdM vault content for playbooks and AAP jobs
| Plugin | Type | FQCN | Purpose |
|---|---|---|---|
| IdM inventory | inventory | eigenstate.ipa.idm |
Builds live inventory from IdM-enrolled hosts and policy-backed group relationships |
| IdM vault | lookup | eigenstate.ipa.vault |
Retrieves vault payloads, inspects metadata, and searches vault scopes in IdM |
If you want the project map and reading order, open DOCS MAP.
If you are deciding whether the collection fits your use case, start with:
If you are wiring the plugins into actual automation, start with:
ansible-galaxy collection install eigenstate-ipa-1.0.3.tar.gzVerify:
ansible-doc -t inventory eigenstate.ipa.idm
ansible-doc -t lookup eigenstate.ipa.vaultNote
The inventory plugin talks to the IdM JSON-RPC API and can use either
password authentication or Kerberos with an optional keytab. The vault plugin
uses ipalib and therefore depends on the local IdM client Python libraries
being available on the control node or execution environment.
| Path | Purpose |
|---|---|
plugins/inventory/idm.py |
Dynamic inventory plugin for hosts, hostgroups, netgroups, and HBAC rules |
plugins/lookup/vault.py |
Lookup plugin for IdM vault retrieval |
docs/ |
Operator and maintainer documentation aligned with the collection interface |
scripts/validate-collection.sh |
Lightweight repo validation for YAML, plugin syntax, and collection build hygiene |
Makefile |
Wrapper for repo validation targets |
llms.txt |
Project-level navigation file for model consumers |
CITATION.cff |
Citation metadata for GitHub and downstream tooling |
CHANGELOG.md |
Release-history placeholder for Galaxy and repo hygiene |
meta/runtime.yml |
Collection runtime metadata |
Greg Procunier
GPL-3.0-or-later. See COPYING.