controller_credentials.yml

In these files we configure the credentials for automation controller.
we will probably do this on the global configuration (ALL).

variables

The api understands the following structure for credentials:

{
    "name": "",
    "description": "",
    "organization": null,
    "credential_type": null,
    "inputs": {},
    "user": null,
    "team": null
}

Below you will find some examples of the usage in configuration as code.

group_vars/all/controller_credentials.yml

Here we see an example of the configuration for a credential to access gitlab.

---
controller_credentials_all:

  - name: gitlab
    description:
    credential_type: Source Control
    organization: MGT
    inputs:
      ssh_key_data: |
            -----BEGIN OPENSSH PRIVATE KEY-----
            -----END OPENSSH PRIVATE KEY-----
      username: AAP_user

But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.

group_vars/dev/controller_credentials.yml

We configure the private hub credentials in development.
These will be used by all organizations.

---
controller_credentials_dev: []
  - name: Default_automation_hub_image_pull_secret
    description:
    credential_type: Container Registry
    organization: Default
    inputs:
      host: <rhaap_hostname>
      username: <vaulted_user>
      password: <vaulted_password>
      verify_ssl: false

  - name: Default_automation_hub_token_published
    description:
    credential_type: Ansible Galaxy/Automation Hub API Token
    organization: Default
    inputs:
      auth_url: ''
      token: "{{ ah_token['token'] }}"
      url: 'https://<rhaap_fqdn>/pulp_ansible/galaxy/published/'
    update_secrets: true

  - name: Default_automation_hub_token_community
    description:
    credential_type: Ansible Galaxy/Automation Hub API Token
    organization: Default
    inputs:
      auth_url: ''
      token: "{{ ah_token['token'] }}"
      url: 'https://<rhaap_fqdn>/pulp_ansible/galaxy/community/'
    update_secrets: true

  - name: Default_automation_hub_token_rh_certified
    description:
    credential_type: Ansible Galaxy/Automation Hub API Token
    organization: Default
    inputs:
      auth_url: ''
      token: "{{ ah_token['token'] }}"
      url: 'https://<rhaap_fqdn>/pulp_ansible/galaxy/rh-certified/'
    update_secrets: true

- name: Default_automation_hub_token_validated
    description:
    credential_type: Ansible Galaxy/Automation Hub API Token
    organization: Default
    inputs:
      auth_url: ''
      token: "{{ ah_token['token'] }}"
      url: 'https://<rhaap_fqdn>/pulp_ansible/galaxy/validated/'
    update_secrets: true
...

Here the variable has the "_dev" extension, so the variable will not be overridden.

group_vars/prod/controller_credentials.yml

As we do not configure extra credentials in prod, this file is an empty set.

---
controller_credentials_prod: []
  # No extra config exists 
  # For prod, you should add the tokens as in dev here
...

Here the variable has the "_prod" extension, so the variable will not be overridden.

When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables: - controller_credentials_all
- controller_credentials_

We will merge these 2 variables into 1: controller_credentials and feed this to the infra.aap_configuration.controller_credentials role.

Back