controller_credential_input_sources.yml
In these files we configure the input sources of credentials for automation controller.
we will probably do this on the global configuration (ALL). As the crdentials to fetch these credentials
already specify the environment in the vault to fetch from, there is no need to configure these on each
environment separately, so only the "all" will be defined.
variables
The api gives us the following structure to fill in our configuration:
{
"description": "",
"input_field_name": "",
"metadata": {},
"target_credential": null,
"source_credential": null
}
group_vars/all/controller_credential_input_sources.yml
Here we see an example of the configuration for a credential mapping to the HashiCorp credential vault.
---
controller_credential_input_sources_all:
- source_credential: Default_hashivault
target_credential: gitlab
input_field_name: username
description: Fill the gitlab username from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/gitlab
auth_path: token
secret_key: username
- source_credential: Default_hashivault
target_credential: gitlab
input_field_name: ssh_key_data
description: Fill the gitlab ssh_key from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/gitlab
auth_path: token
secret_key: ssh_private_key
- source_credential: Default_hashivault
target_credential: ansible
input_field_name: ssh_key_data
description: Fill the ansible ssh_key from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/ansible
auth_path: token
secret_key: ssh_private_key
- source_credential: Default_hashivault
target_credential: ansible
input_field_name: username
description: Fill the ansible username from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/ansible
auth_path: token
secret_key: username
- source_credential: Default_hashivault
target_credential: ansible
input_field_name: become_method
description: Fill the ansible become method from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/ansible
auth_path: token
secret_key: become_method
- source_credential: Default_hashivault
target_credential: ansible
input_field_name: become_password
description: Fill the ansible become password from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/ansible
auth_path: token
secret_key: become_password
- source_credential: Default_hashivault
target_credential: ansible
input_field_name: ssh_key_unlock
description: Fill the ansible key passphrase from HashiCorp Vault
metadata:
secret_backend: kv
secret_path: data/ansible
auth_path: token
secret_key: passphrase
...
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/controller_credential_input_sources.yml
As we do not configure extra credential_input_sources in development, this file is an empty set.
---
controller_credential_input_sources_dev: []
# As we configured dev with fixed credentials, there is no need for input_sources.
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/controller_credential_input_sources.yml
As configure the prod environment with external vault secrets, we will specify the metadata for the credentials here.
Each field of a credential has its own metadata.
---
controller_credential_input_sources_prod: []
# No definition here
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- controller_credential_input_sources_all
- controller_credential_input_sources_
We will merge these 2 variables into 1: controller_credential_input_sources and feed this to the infra.aap_configuration.controller_credential_input_sources role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the controller vars
ansible.builtin.set_fact:
controller_credential_input_sources: >
{{ controller_credential_input_sources_all |
community.general.lists_mergeby(vars['controller_credential_input_sources_' + branch_name],
'target_credential', recursive=true, list_merge='append') }}
This results in the controller_credential_input_sources variable the collection needs.