controller_credentials.yml

In these files we configure the credentials for automation controller.
we will probably do this on the global configuration (ALL).
You will see a small deffirence in the lookup credentials (namespace), this determines if the value is read for production or development.

group_vars/all/controller_credentials.yml

Here we see an example of the configuration for a credential to access gitlab. All secrets are read from the external vault, so the inputs are not defined here.
As the team may have some devices/apps that require additional users/passwords, they can be configured here for the organization, these are not shareable to other teams. 

---
controller_credentials_all:

  - name: ORG_NEW_gitlab
    description:
    credential_type: Source Control
    organization: ORG_NEW

  - name: ORG_NEW_extra_user
    credential_type: OS user
    organization: ORG_NEW

But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.

group_vars/dev/controller_credentials.yml

As we do configure a lookup credential in development, this credential is used in the controller_credential_input_sources.yml. If there is no vault, you can omit this. 

---
controller_credentials_dev:

  - name: ORG_vault
    description: Org Specific Vault Secret Lookup
    organization: ORG
    credential_type: HashiCorp Vault Secret Lookup
    inputs:
      url: <url_to_vault>
      token: "{{ vault_token }}"
      namespace: "dev/{{ org_name }}"
      api_version: v1
      default_auth_path: token

...

Here the variable has the "_dev" extension, so the variable will not be overridden.

group_vars/prod/controller_credentials.yml

---
controller_credentials_prod:

- name: ORG_vault
    description: Org Specific Vault Secret Lookup
    organization: ORG
    credential_type: HashiCorp Vault Secret Lookup
    inputs:
      url: <url_to_vault>
      token: "{{ vault_token }}"
      namespace: "prod/{{ org_name }}"
      api_version: v1
      default_auth_path: token
...

Here the variable has the "_prod" extension, so the variable will not be overridden.

When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables: - controller_credentials_all
- controller_credentials_

We will merge these 2 variables into 1: controller_credentials and feed this to the infra.aap_configuration.controller_credentials role.

Back