{"id":47865012,"url":"https://github.com/gprocunier/eigenstate-ipa","last_synced_at":"2026-05-17T03:15:59.416Z","repository":{"id":349035042,"uuid":"1200803279","full_name":"gprocunier/eigenstate-ipa","owner":"gprocunier","description":"Ansible collection for Red Hat IdM / FreeIPA with live inventory, Kerberos, secrets, policy, and OpenShift ecosystem workflows for AAP.","archived":false,"fork":false,"pushed_at":"2026-04-16T18:26:14.000Z","size":1663,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-16T20:26:52.205Z","etag":null,"topics":["ansible-automation-platform","certificate-management","dns","dynamic-inventory","freeipa","hbac","kerberos","keycloak","keytab","openshift","openshift-virtualization","otp","quay","red-hat-idm","rhacm","rhacs","selinux","sudo","user-lease","vault"],"latest_commit_sha":null,"homepage":"https://gprocunier.github.io/eigenstate-ipa/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gprocunier.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-03T21:03:36.000Z","updated_at":"2026-04-16T18:26:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/gprocunier/eigenstate-ipa","commit_stats":null,"previous_names":["gprocunier/eigenstate-ipa"],"tags_count":33,"template":false,"template_full_name":null,"purl":"pkg:github/gprocunier/eigenstate-ipa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Feigenstate-ipa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Feigenstate-ipa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Feigenstate-ipa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Feigenstate-ipa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gprocunier","download_url":"https://codeload.github.com/gprocunier/eigenstate-ipa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Feigenstate-ipa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32320686,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible-automation-platform","certificate-management","dns","dynamic-inventory","freeipa","hbac","kerberos","keycloak","keytab","openshift","openshift-virtualization","otp","quay","red-hat-idm","rhacm","rhacs","selinux","sudo","user-lease","vault"],"created_at":"2026-04-04T00:03:54.900Z","updated_at":"2026-05-17T03:15:59.410Z","avatar_url":"https://github.com/gprocunier.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# eigenstate.ipa\n\n**An Ansible collection for Red Hat IdM / FreeIPA with live inventory, IdM\nvault retrieval, KRA-aware vault diagnostics, vault artifact custody,\nKerberos principal state, keytab\ndelivery, certificate automation, OTP workflows, DNS inspection, sudo\ninspection, sudo risk classification, SELinux map inspection, HBAC\ninspection/testing, access-path preflight summaries, AAP execution\nenvironment support, OpenShift/Kubernetes render-first workflows, temporary\naccess boundaries, and read-only operational evidence.**\n\n[![License: GPL-3.0](https://img.shields.io/github/license/gprocunier/eigenstate-ipa)](COPYING)\n![Ansible 2.15+](https://img.shields.io/badge/Ansible-2.15%2B-blue)\n![FreeIPA 4.6+](https://img.shields.io/badge/FreeIPA-4.6%2B-blue)\n![RHEL](https://img.shields.io/badge/RHEL-9%20%7C%2010-red)\n\n\u003ca href=\"https://gprocunier.github.io/eigenstate-ipa/\"\u003e\u003ckbd\u003e\u0026nbsp;\u0026nbsp;DOCS HOME\u0026nbsp;\u0026nbsp;\u003c/kbd\u003e\u003c/a\u003e\n\u003ca href=\"https://gprocunier.github.io/eigenstate-ipa/start.html\"\u003e\u003ckbd\u003e\u0026nbsp;\u0026nbsp;START HERE\u0026nbsp;\u0026nbsp;\u003c/kbd\u003e\u003c/a\u003e\n\u003ca href=\"https://gprocunier.github.io/eigenstate-ipa/reference/\"\u003e\u003ckbd\u003e\u0026nbsp;\u0026nbsp;REFERENCE\u0026nbsp;\u0026nbsp;\u003c/kbd\u003e\u003c/a\u003e\n\n`eigenstate.ipa` treats IdM as live automation state where IdM is already the\nright authority: hosts, groups, vaults, Kerberos principals, certificates, DNS,\nsudo, HBAC, SELinux maps, and user expiry attributes.\n\nThe repository name is `eigenstate-ipa`; the Ansible collection name is\n`eigenstate.ipa`.\n\n## What The Collection Contains\n\n| Surface | FQCN or path | Purpose |\n| --- | --- | --- |\n| Inventory | `eigenstate.ipa.idm` | Build live Ansible inventory from IdM host and policy state with normalized host attribute metadata. |\n| Lookups | `eigenstate.ipa.vault`, `principal`, `keytab`, `cert`, `otp`, `dns`, `selinuxmap`, `sudo`, `hbacrule` | Read vault, Kerberos, certificate, OTP, DNS, sudo, SELinux map, and HBAC state. |\n| Modules | `eigenstate.ipa.vault_write`, `vault_health`, `vault_artifact`, `access_path`, `keytab_manage`, `cert_request`, `user_lease` | Mutate narrow IdM boundaries explicitly, check vault/KRA health, manage generic vault artifact custody, and summarize access-path readiness. |\n| Filters | `ensure_list`, `normalize_attribute`, `attribute_type`, `sudo_risk`, `classify_sudo_rule` | Normalize IdM attribute shapes and classify sudo policy risk in playbooks. |\n| Roles | `roles/` | AAP EE, OpenShift identity validation, workload Secret rendering, temporary access, and reports. |\n| Playbooks | `playbooks/` | Wrapper playbooks for common role workflows. |\n| Execution environment | `execution-environment/eigenstate-idm/` | Ready-to-build AAP runtime scaffold for IdM-backed automation. |\n| Tests | `tests/` | Unit, role-structure, argument-spec, secret-safety, compatibility, and integration fixtures. |\n\n## Documentation\n\nThe public docs now use Diataxis:\n\n- [Tutorials](https://gprocunier.github.io/eigenstate-ipa/tutorials/) teach the\n  main flows safely.\n- [How-to guides](https://gprocunier.github.io/eigenstate-ipa/how-to/) complete\n  production tasks.\n- [Reference](https://gprocunier.github.io/eigenstate-ipa/reference/) gives\n  exact options, return shapes, roles, playbooks, schemas, and support facts.\n- [Explanation](https://gprocunier.github.io/eigenstate-ipa/explanation/)\n  describes architecture, authority boundaries, non-goals, and risks.\n\n## Install\n\nInstall a built collection artifact:\n\n```bash\nansible-galaxy collection install eigenstate-ipa-1.18.0.tar.gz\n```\n\nVerify the main surfaces you plan to use:\n\n```bash\nansible-doc -t inventory eigenstate.ipa.idm\nansible-doc -t lookup eigenstate.ipa.vault\nansible-doc -t lookup eigenstate.ipa.keytab\nansible-doc -t module eigenstate.ipa.keytab_manage\nansible-doc -t module eigenstate.ipa.vault_write\nansible-doc -t module eigenstate.ipa.vault_health\nansible-doc -t module eigenstate.ipa.vault_artifact\nansible-doc -t module eigenstate.ipa.access_path\nansible-doc -t module eigenstate.ipa.cert_request\nansible-doc -t module eigenstate.ipa.user_lease\nansible-doc -t filter eigenstate.ipa.sudo_risk\n```\n\n## Boundaries\n\n- IdM remains the authority for IdM records.\n- The collection reads, renders, validates, or mutates through explicit Ansible\n  surfaces.\n- AAP orchestrates jobs and records evidence; it is not the identity authority.\n- Kubernetes and OpenShift enforce only after reviewed configuration is applied.\n- Reports are evidence artifacts, not remediation.\n\nThis project does not claim that IdM replaces a general-purpose vault, PAM\nsuite, or dynamic secret-lease system.\n\n## License\n\nGPL-3.0-or-later. See [COPYING](COPYING).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgprocunier%2Feigenstate-ipa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgprocunier%2Feigenstate-ipa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgprocunier%2Feigenstate-ipa/lists"}